—

Why it Matters

By default, PHP can store sessions in the filesystem (/tmp). On shared servers or clusters with multiple nodes, this is unsafe and unreliable. Attackers with local access may hijack sessions, and customers can experience broken sessions if load balancer traffic shifts between nodes.

Using a dedicated session backend such as Redis or a database ensures that sessions are consistent, secure, and scalable. It reduces the chance of session hijacking and keeps login and checkout stable.

Verification Steps

# Check env.php for session configuration
grep -A3 'session' app/etc/env.php

# Expected: session backend = redis or db, not 'files'

bin/magento info:dependencies:show-modules | grep Session
# Confirm correct storage backend modules are present

Remediation / Fix Guidance

1. Configure Redis for session storage in env.php:

   'session' => [
     'save' => 'redis',
     'redis' => [
       'host' => '127.0.0.1',
       'port' => '6379',
       'database' => 2
     ]
   ]

2. If Redis is not available, use the database session handler:

   'session' => [
     'save' => 'db'
   ]

3. Avoid using 'files' on production, especially in multi-node deployments.
4. Monitor session persistence after configuration changes.

Examples

# env.php
'session' => [
  'save' => 'files'
]
# Session data stored in /tmp → insecure and unreliable

# env.php
'session' => [
  'save' => 'redis',
  'redis' => [
    'host' => '127.0.0.1',
    'port' => '6379',
    'database' => 2
  ]
]

References

• OWASP Top 10 — A07: Identification and Authentication Failures
• OWASP — Session Management Cheat Sheet