Package: php7.0-common Version: 7.0.8-5 Severity: minor
Hi. Debian's php.inis default to session.gc_probability = 0, which is, as you surely know, because of the session dir being cleaned up by the cron job, and the PHP code typically not having list rights on it, causing the "well known": >session_start(): ps_files_cleanup_dir: opendir(/var/lib/php/sessions) failed: >Permission denied (13) error message, if it the option was enabled. Reading just the options documentation makes one easily think that enabling this is a good idea. Moreover, the in-file-documentation even says: >; Default Value: 1 >; Development Value: 1 >; Production Value: 1 For the user, it may not be obvious that this is not necessary on Debian systems, but will actually lead to errors. Could you please consider the following: - Another line like: Debian Defaul Value: 0 - Add some little clarification like: This is disabled per-default in Debian, as session clean up is performed by the cron job /etc/cron.d/php. If enabled nevertheless, it will require the respective session-directory to also have list (x) permissions for the user(s), under which PHP code runs that would trigger the garbage collection. Beware: Giving such permissions has security implications. - Further I'd suggest that e.g. README.Debian lists all options where Debian's default deviate from upstreams, ideally with similar descriptions why. Adding such clarification, especially to the INI, would help a bit against users accidentally enabling this in good faith. Cheers, Chris.