[phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged]

[Olivier Berger]

Hello.

I'm considering the right way to manage the PHP session files on
standard installations in Debian.

Maybe you can help, as I'm not really expert in PHP.

In Debian's default configuration, phpGroupware uses session files, and
the session.save_path is directed to a specific directory, separate from
the PHP5 default (/var/lib/phpgroupware/sessions instead of the
default /var/lib/php5/ in Debian).

I guess such a separate dir was a way to prevent collision with other
applicatons which may lead to security issues as phpGroupware sessions
may contain sensitive information.

Would this be a big risk to store them in the same place as other PHP
apps installed on the same server ?

Would you recommend any policy ?

You'll find bellow a bug-report about these files not being purged ATM
in Debian, btw ;)

Thanks in advance for your insights.

Best regards,
-------- Message transféré --------
De: Olivier Berger <address@hidden>
Répondre à: Olivier Berger <address@hidden>,
address@hidden
À: address@hidden
Sujet: Bug#479905:
phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as
files are never purged
Date: Wed, 07 May 2008 11:20:21 +0200

Le mercredi 07 mai 2008 à 10:57 +0200, Olivier Berger a écrit :
> 
> Since the re-definition of the sessions save path into phpgroupware's own 
> dirs session files are no longer saved into php5-common's dir, and are thus 
> not purged by the php5-common cron job.
> 
> This leads potentially to the progressive fill-up of the disk, although at a 
> quite slow pace.
> 
> This needs to be fixed.
> 
> Btw, it must have been happening also on epoch 0 packages back when php4 was 
> used (on sarge, etch ?) when the custom php.ini parameters were applied... 
> but apparently noone noticed.
> 

(responding to myself)

I'm a bit doubtful about the correct was to handle this.

It's obviously possible to add a crontab like php5-common's one.

But in the end, I'm not so sure it's best to keep sessions apart from
php5's defaults in Debian.

I can see some security assumptions about doing so... but I'm not so
sure it's really necessary. There may be a Debian policy for that ?

I'll try and ask upstream and also to other php5 maintainers maybe... 

Regards,
-- 
Olivier BERGER <address@hidden> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), 
Evry