On Fri, Aug 05, 2005 at 12:41:39PM -0400, Dmitriy Kropivnitskiy wrote: > Package: libapache-mod-php4 > Version: 4:4.3.10-15
> The default for session.gc_probability was changed from the upstream > default of 1 (garbage collection runs on 1% of requests) to 0 (no > garbage collection). I believe that the reason for the change was the > bug #267720 <http://bugs.debian.org/267720>. Unfortunately, this breaks > things for people using session_set_save_handler() function to set their > own session management (for example to record sessions in a database). > If existing codebase is using custom garbage collection function an > upgrade to Debian silently stops the garbage collection from happening, > since the cron job from php4-common only cleans up default session temp > files. Also this changes the expected (documented on www.php.net) > behaviour of php session handling. The solution for this would be to either > 1. Re-enable the gc_probability and change default ownership and > permissions on /var/lib/php4 to allow www-data deleting files from it > (and disallow regular users any access, something like chmod 770 ) I'm sorry, but this is an unacceptable solution for the existing PHP use cases. There is no way to provide a reasonable default session config that both provides appropriate security for session data and also allows using the built-in PHP garbage collector. > 2. Leave this as it is, but bring up a warning message in the package > post-config to bring this to the user's attention That would also be inappropriate. However, this is information that it would be sensible to put in the package README file. -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
