On Wed, 2008-05-07 at 07:11 -0500, Chris Weiss wrote: > On Wed, May 7, 2008 at 5:15 AM, Olivier Berger > <[EMAIL PROTECTED]> wrote: > > Hello. > > > > I'm considering the right way to manage the PHP session files on > > standard installations in Debian. > > > > Maybe you can help, as I'm not really expert in PHP. > > > > In Debian's default configuration, phpGroupware uses session files, and > > the session.save_path is directed to a specific directory, separate from > > the PHP5 default (/var/lib/phpgroupware/sessions instead of the > > default /var/lib/php5/ in Debian). > > > > I guess such a separate dir was a way to prevent collision with other > > applicatons which may lead to security issues as phpGroupware sessions > > may contain sensitive information. > > > > Would this be a big risk to store them in the same place as other PHP > > apps installed on the same server ? > > > > Would you recommend any policy ? > > > > You'll find bellow a bug-report about these files not being purged ATM > > in Debian, btw ;) > > > > it's always been my impression that php's garbage collection, not a > cron job, handles removing old session files. maybe what we have a > bug in php itself...
In Debian it is a cron job. See below I recommend a separate directory, just for security, but it probably doesn't provide much benefit, cos if you can read the session files you can read the header.inc.php, and so get the dd access credentials. I am happy enough to use the common session path if that is easier for you (and Debian). Cheers Dave $ cat /etc/cron.d/php5 # /etc/cron.d/php5: crontab fragment for php5 # This purges session files older than X, where X is defined in seconds # as the largest value of session.gc_maxlifetime from all your php.ini # files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime # Look for and purge old sessions every 30 minutes 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm _______________________________________________ phpGroupWare-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
