Re: [phpGroupWare-developers] Need your advice on php5 session files

phpgroupware-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [phpGroupWare-developers] Need your advice on php5 session files - [

From:	Dave Hall
Subject:	Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged]
Date:	Thu, 08 May 2008 05:15:41 +1000

On Wed, 2008-05-07 at 07:11 -0500, Chris Weiss wrote:
> On Wed, May 7, 2008 at 5:15 AM, Olivier Berger
> <address@hidden> wrote:
> > Hello.
> >
> >  I'm considering the right way to manage the PHP session files on
> >  standard installations in Debian.
> >
> >  Maybe you can help, as I'm not really expert in PHP.
> >
> >  In Debian's default configuration, phpGroupware uses session files, and
> >  the session.save_path is directed to a specific directory, separate from
> >  the PHP5 default (/var/lib/phpgroupware/sessions instead of the
> >  default /var/lib/php5/ in Debian).
> >
> >  I guess such a separate dir was a way to prevent collision with other
> >  applicatons which may lead to security issues as phpGroupware sessions
> >  may contain sensitive information.
> >
> >  Would this be a big risk to store them in the same place as other PHP
> >  apps installed on the same server ?
> >
> >  Would you recommend any policy ?
> >
> >  You'll find bellow a bug-report about these files not being purged ATM
> >  in Debian, btw ;)
> >
> 
> it's always been my impression that php's garbage collection, not a
> cron job, handles removing old session files.  maybe what we have a
> bug in php itself...

In Debian it is a cron job.  See below

I recommend a separate directory, just for security, but it probably
doesn't provide much benefit, cos if you can read the session files you
can read the header.inc.php, and so get the dd access credentials.

I am happy enough to use the common session path if that is easier for
you (and Debian).

Cheers

Dave

$ cat /etc/cron.d/php5 
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] &&
[ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin
+$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm

[Prev in Thread]

Current Thread

[Next in Thread]

[phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Olivier Berger, 2008/05/07
- Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Chris Weiss, 2008/05/07
  - Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Dave Hall <=
  - Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], chris, 2008/05/07
    - Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Olivier Berger, 2008/05/27
    - Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Chris Weiss, 2008/05/27
    - Re: [phpGroupWare-developers] Need your advice on php5 session files - [Fwd: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged], Olivier Berger, 2008/05/27