Ticket #1123 (Review - PHP session handling) created

    [feedquote='Trac','http://trac.i-mscp.net/ticket/1123']

    On the debian-based distributions, the cleanup of PHP sessions is done through a cron task which is run with the root user privileges. This is a major change in default PHP behavior which has been introduced by the Debian team in response to a bug report (see below).

    Indeed, for safety reasons, Debian sets stringent permissions on the /var/lib/php5 directory to prevent session hijacking. The side-effect of this is that the native PHP session garbage collector cannot work because it can't access files in that directory... Also, Debian sets the session.gc_probability parameter value to 0 which prevent the garbage collector to run when a custom session.save_path is defined using the ini_set() function.

    Since years, i-MSCP tends to mimic this behavior with its own cron task but this is not without any drawback:

    • While Debian uses only one directory to store session files (which explains the stringent permissions to prevent session hijacking) , i-MSCP stores them per domain (each domain has its own session directory which cannot be accessed by other user).
    • When run, the cron task provided by i-MSCP must open all php.ini files to get the session configuration parameter value which involves a lot of work (eg. IO operations)

    In fact, i-MSCP should not be concerned about the session hijacking issue because the sessions, as stated above, are stored per domain. Therefore, we should rely on the default PHP behavior instead of rely on the Debian behavior.

    This simply involves the following changes:

    • The cron task which is responsible to cleanup PHP sessions must be removed
    • The session.gc_maxfile parameter must be set to a value greater than zero
    • The default cron task as provided by Debian must be disabled

    Also, the session.save_path parameter value, when using ITK implementation, must be defined with php_value instead of php_admin_value. Indeed, the mode for the PHP session settings is PHP_INI_ALL and not PHP_INI_SYSTEM

    Refs:

    [/feedquote]