Lighttpd: Beware of Default PHP Session Path Permission [ session.save_path ]

by on July 27, 2006 · 6 comments· LAST UPDATED February 1, 2011

in , ,

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option.

After installing phpMyAdmin I was able to login but unable to select or modify tables. First, I thought I made some configuration errors, and then I reinstalled phpMyAdmin again. It was not working at all.

Finally, php error log file provides me the answer with the following errors:

[26-Jul-2006 13:35:22] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0
[26-Jul-2006 13:35:22] PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0
[26-Jul-2006 13:35:40] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0

/var/lib/php/ has root:apache write permission combination. Since I had migrated from the Apache to Lighttpd web server, I forgot to set correct permission for session directory (php.ini - session.save_path directive). To change file owner and group permission you need to use the chown command as follows:
# chown root:lighttpd /var/lib/php/ -R

Now my phpMyAdmin is working fine.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 6 comments… read them below or add one }

1 itamar May 24, 2007 at 1:58 am

I belive the best option is add lighttpd to group apache.

Reply

2 Misinformed February 7, 2008 at 4:52 pm

Genius. Thanks for the tip.

Reply

3 Rey April 5, 2009 at 1:30 pm

try chmod 1777 /var/lib/php/session

Reply

4 Marcelo August 5, 2010 at 9:15 pm

Excellent!

Works 100%

Thanks!

Reply

5 Ray April 24, 2012 at 9:51 pm

Rey,
One would be stupid to set permissions to 777, huge security risk.

Reply

6 bob March 18, 2013 at 10:17 am

I agree… on /var/lib/php/session only Apache and root should have write permissions…
Other may consider this an exploit and do some damage …

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous post:

Next post: