Results 1 to 14 of 14

Thread: PHP/Apache access/permissions? I don't know... save_session_path

  1. #1
    Join Date
    Mar 2014
    Posts
    86

    Exclamation PHP/Apache access/permissions? I don't know... save_session_path

    Hi,

    I have a problem since a year... 06.2018 - after some update (?) of directadmin/packages through custombuild my script doesn't respect save_session_path - before that it was everything fine.

    My script:
    PHP Code:
    session_save_path(realpath(dirname($_SERVER['DOCUMENT_ROOT'] . '/tmpsessions'))); // ini_set('session.save_path, $path); also not working
    // chmod of this dir is 775
    //var_dump(ini_get('session.save_path')); or echo session_save_path();  shows just /home/user/tmp ? why? it's not even set in php.ini and .htaccess
    ini_set('session.gc_maxlifetime'21600); // it's working - changes value
    ini_set('session.gc_probability'1); // it's working - changes value
    ini_set('session.gc_divisor'1000); // it's working - changes value
    session_name('name');
    session_start(); 
    I described all in comments above.
    I think it's something with permissions? Because script was working almost 2 years... and suddenly stopped... I don't know what to do... I read literally all articles about session.save_path and nothing is working...

    Weirdest thing is that was working ~2 years.... and I didn't change anything....

    What permissions should have PHP(fpm)/Apache in DirectAdmin to use this variable and save sessions to any dir I set (in /home/user domains/subdomains)?
    Last edited by ShinJii; 07-18-2019 at 09:07 AM.

  2. #2
    Join Date
    Jul 2017
    Location
    Murfreesboro
    Posts
    347
    I don't see it here but what is your OS and PHP version are you on? Is all of DA and the server up to date?

    what do get for

    php -i | grep session.save_path
    Thanks,
    Brent Dacus
    Just a regular guy from Tennessee

    CentOS 7 | DA | CB 2.0 | MariaDB 10.4 | PHP 7.2

    help me...it's HERE or Type "your issue your os directadmin" in google


  3. #3
    Join Date
    Mar 2014
    Posts
    86
    Quote Originally Posted by bdacus01 View Post
    I don't see it here but what is your OS and PHP version are you on? Is all of DA and the server up to date?

    what do get for

    php -i | grep session.save_path
    Hi,
    Yes I have everything up to date.
    CentOS 7 (newest version) + DA 1.575 + PHP 7.2 (FPM)

  4. #4
    Join Date
    Jul 2017
    Location
    Murfreesboro
    Posts
    347
    Code:
    php -i | grep session.save_path
    Thanks,
    Brent Dacus
    Just a regular guy from Tennessee

    CentOS 7 | DA | CB 2.0 | MariaDB 10.4 | PHP 7.2

    help me...it's HERE or Type "your issue your os directadmin" in google


  5. #5
    Join Date
    Mar 2014
    Posts
    86
    Quote Originally Posted by bdacus01 View Post
    Code:
    php -i | grep session.save_path
    Sorry I forgot paste
    session.save_path => no value => no value

  6. #6
    Join Date
    Mar 2014
    Posts
    86
    Is there possibility it has something with SElinux/policy? Sometimes I have some errors while updating that package in CentOS....

  7. #7
    Join Date
    Jul 2017
    Location
    Murfreesboro
    Posts
    347
    Quote Originally Posted by ShinJii View Post
    Sorry I forgot paste
    Dont you need to set a path here?

    https://help.poralix.com/articles/se...ath-is-not-set
    Thanks,
    Brent Dacus
    Just a regular guy from Tennessee

    CentOS 7 | DA | CB 2.0 | MariaDB 10.4 | PHP 7.2

    help me...it's HERE or Type "your issue your os directadmin" in google


  8. #8
    Join Date
    Mar 2014
    Posts
    86
    Quote Originally Posted by bdacus01 View Post
    No. It was working earlier and I don't know why it's not working now... I have hundreds of subdomains/domains and I want give them own unique dir for this... not one dir for all domains/subdomains - it has to be dynamicly in script by save_session_path();

  9. #9
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,563
    PHP-FPM has a directive:

    Code:
    php_admin_value[session.save_path] = |PHP_SESSION_SAVE_PATH|
    in /usr/local/directadmin/data/templates/php-fpm.conf

    which makes it impossible to override the value anywhere else, as it has a precedence above all.

    You need to use DirectAdmin Web-UI (go to Custom HTTPD Configurations) and customize the value of the token |PHP_SESSION_SAVE_PATH|, add:

    Code:
    |?PHP_SESSION_SAVE_PATH=`HOME`/domains/`DOMAIN`/public_html/tmpsessions|
    into PHP-FPM config customization text-area and save.

    and by the way it is set to `HOME`/tmp by default.

    p.s. Storing sessions under `HOME`/domains/`DOMAIN`/public_html/tmpsessions is rather insecure I'd rather say.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  10. #10
    Join Date
    Mar 2014
    Posts
    86
    Thanks dude! By the way - why it's insecure? I think there's less probability in this case to hijack session from other domain/subdomain?

  11. #11
    Join Date
    Mar 2014
    Posts
    86
    Hmmm...but why I can't change this value through script? 1 year ago I could...

    EDIT: Even if I do |?PHP_SESSION_SAVE_PATH=""| there's still home/user/tmp ... why? if that's empty...
    Last edited by ShinJii; 07-18-2019 at 12:58 PM.

  12. #12
    Join Date
    Oct 2003
    Location
    Scottsdale, AZ
    Posts
    1,181
    Quote Originally Posted by ShinJii View Post
    Thanks dude! By the way - why it's insecure? I think there's less probability in this case to hijack session from other domain/subdomain?
    It is insecure because it is within the public_html directory that is your Document Root. Therefore anyone can access the session files by going to http://<yourdomain>/tmpsessions

    Session files should be stored outside your document root. You should consider putting it at the same directory level as the public_html directory, i.e. /home/<owner>/domains/<domainname>/tmpsessions that way it is ouside your document root and is at the same level as your domain logs, private html directory, etc.

  13. #13
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,563
    Quote Originally Posted by ShinJii View Post
    EDIT: Even if I do |?PHP_SESSION_SAVE_PATH=""| there's still home/user/tmp ... why? if that's empty...
    try

    Code:
    |?PHP_SESSION_SAVE_PATH=|
    without quotes at all
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  14. #14
    Join Date
    Mar 2014
    Posts
    86
    Quote Originally Posted by toml View Post
    It is insecure because it is within the public_html directory that is your Document Root. Therefore anyone can access the session files by going to http://<yourdomain>/tmpsessions

    Session files should be stored outside your document root. You should consider putting it at the same directory level as the public_html directory, i.e. /home/<owner>/domains/<domainname>/tmpsessions that way it is ouside your document root and is at the same level as your domain logs, private html directory, etc.
    Hmmmm... you're right... I didn't think about that thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •