Lighttpd: Beware of Default PHP Session Path Permission [ session.save_path ]

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

ADVERTISEMENTS

This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option.

After installing phpMyAdmin I was able to login but unable to select or modify tables. First, I thought I made some configuration errors, and then I reinstalled phpMyAdmin again. It was not working at all.

Finally, php error log file provides me the answer with the following errors:

[26-Jul-2006 13:35:22] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0
[26-Jul-2006 13:35:22] PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0
[26-Jul-2006 13:35:40] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0

/var/lib/php/ has root:apache write permission combination. Since I had migrated from the Apache to Lighttpd web server, I forgot to set correct permission for session directory (php.ini – session.save_path directive). To change file owner and group permission you need to use the chown command as follows:
# chown root:lighttpd /var/lib/php/ -R

Now my phpMyAdmin is working fine.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
6 comments… add one
  • itamar May 24, 2007 @ 1:58

    I belive the best option is add lighttpd to group apache.

  • Misinformed Feb 7, 2008 @ 16:52

    Genius. Thanks for the tip.

  • Rey Apr 5, 2009 @ 13:30

    try chmod 1777 /var/lib/php/session

  • Marcelo Aug 5, 2010 @ 21:15

    Excellent!

    Works 100%

    Thanks!

  • Ray Apr 24, 2012 @ 21:51

    Rey,
    One would be stupid to set permissions to 777, huge security risk.

    • bob Mar 18, 2013 @ 10:17

      I agree… on /var/lib/php/session only Apache and root should have write permissions…
      Other may consider this an exploit and do some damage …

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.