Hello. I'm considering the right way to manage the PHP session files on standard installations in Debian.
Maybe you can help, as I'm not really expert in PHP. In Debian's default configuration, phpGroupware uses session files, and the session.save_path is directed to a specific directory, separate from the PHP5 default (/var/lib/phpgroupware/sessions instead of the default /var/lib/php5/ in Debian). I guess such a separate dir was a way to prevent collision with other applicatons which may lead to security issues as phpGroupware sessions may contain sensitive information. Would this be a big risk to store them in the same place as other PHP apps installed on the same server ? Would you recommend any policy ? You'll find bellow a bug-report about these files not being purged ATM in Debian, btw ;) Thanks in advance for your insights. Best regards, -------- Message transféré -------- De: Olivier Berger <[EMAIL PROTECTED]> Répondre à: Olivier Berger <[EMAIL PROTECTED]>, [EMAIL PROTECTED] À: [EMAIL PROTECTED] Sujet: Bug#479905: phpgroupware-0.9.16-core-base: /var/lib/phpgroupware/sessions grows as files are never purged Date: Wed, 07 May 2008 11:20:21 +0200 Le mercredi 07 mai 2008 à 10:57 +0200, Olivier Berger a écrit : > > Since the re-definition of the sessions save path into phpgroupware's own > dirs session files are no longer saved into php5-common's dir, and are thus > not purged by the php5-common cron job. > > This leads potentially to the progressive fill-up of the disk, although at a > quite slow pace. > > This needs to be fixed. > > Btw, it must have been happening also on epoch 0 packages back when php4 was > used (on sarge, etch ?) when the custom php.ini parameters were applied... > but apparently noone noticed. > (responding to myself) I'm a bit doubtful about the correct was to handle this. It's obviously possible to add a crontab like php5-common's one. But in the end, I'm not so sure it's best to keep sessions apart from php5's defaults in Debian. I can see some security assumptions about doing so... but I'm not so sure it's really necessary. There may be a Debian policy for that ? I'll try and ask upstream and also to other php5 maintainers maybe... Regards, -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry _______________________________________________ phpGroupWare-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
