AlanR Posted December 9, 2005 Share Posted December 9, 2005 Due to a change by hosts to Safe Mode and/or an upgrade to php many people are getting warnings like this: Warning: session_save_path(): SAFE MODE Restriction in effect. The script whose uid/gid is 10043/10001 is not allowed to access owned by uid/gid 0/0 in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 118 Warning: Cannot modify header information - headers already sent by (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/general.php on line 1174 Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 67 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 67 What's happening is that osc is no longer able to write to /tmp on the server. It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory. function tep_session_save_path($path = '') { if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } iosysuk (Ian) tracked down the solution here... Cause : Previous bug in PHP fixed in latest version (Chances are your ISP has updated to the new version) Fix: Goto Admin / Configuration / Sessions and change the "Sessions Directory" to tmp (no slashes) If you can't get into Admin, goto your Database Admin page (usually PhPAdmin app.) Click on any table on the left hand side. Click on SQL at the top of the screen Overtype whatever appears in the SQL window with ... UPDATE configuration SET configuration_value = 'tmp' WHERE configuration_key='SESSION_WRITE_DIRECTORY' Click Go You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136. Session Directory SESSION_WRITE_DIRECTORY /tmp Simply change /tmp to tmp Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2005 Share Posted December 11, 2005 On one server, this works for me in Admin, but not in Catalog. See any problem changing sessions.php to read like this? function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } } -jared Link to comment Share on other sites More sharing options...
AlanR Posted December 11, 2005 Author Share Posted December 11, 2005 On one server, this works for me in Admin, but not in Catalog. See any problem changing sessions.php to read like this? function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } } -jared Shouldn't be a problem. It was always an option to turn off the test for the directory itself if you're saving sessions in the database. The only objection I'd have it that it makes the installation less standard. There was another person who found the same result as you did. In his case we went back to creating a directory somewhere within his web space, ie: /usr/home/sumname/public_html/catalog/mysessions or /usr/home/sumname/public_html/mysessions or and then setting the session save path to that. That solved his problem. It's the cases where a user can't even get into admin that the mySQL approach is most valuable. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
AlanR Posted December 11, 2005 Author Share Posted December 11, 2005 To summarize Jared's solution for newbies. 1) In catalog/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } } You can also apply the same fix to the admin section. 1) In catalog/admin/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/admin/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } } Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2005 Share Posted December 11, 2005 To summarize Jared's solution for newbies. 1) In catalog/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } } You can also apply the same fix to the admin section. 1) In catalog/admin/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/admin/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } } I'm trying to run my online osc to my local pc, the catalog part works fine but the admin doesnt. So i tried searching the forum for help.... After changing the Session Directory value from /tmp to tmp... i'm getting this error: ---------------------------------------------------------------------------- Fatal error: Cannot re-assign $this in D:\xampp\xampp\htdocs\sylviareynosogala\recipes\admin\includes\classes\upload.php on line 31 ------------------------------------------------------------------------------ and when i tried commenting that line 32 (contains: $this = null;) the admin works fine but i dont know if it affects the admins functionality. Please help. i want to run this on my local pc so that i can modify the look faster. thanks alot guys!!! Link to comment Share on other sites More sharing options...
AlanR Posted December 11, 2005 Author Share Posted December 11, 2005 I'm trying to run my online osc to my local pc, the catalog part works fine but the admin doesnt. So i tried searching the forum for help.... After changing the Session Directory value from /tmp to tmp... i'm getting this error: ---------------------------------------------------------------------------- Fatal error: Cannot re-assign $this in D:\xampp\xampp\htdocs\sylviareynosogala\recipes\admin\includes\classes\upload.php on line 31 ------------------------------------------------------------------------------ and when i tried commenting that line 32 (contains: $this = null;) the admin works fine but i dont know if it affects the admins functionality. Please help. i want to run this on my local pc so that i can modify the look faster. thanks alot guys!!! That's due to a change in php5 See: http://www.oscommerce.com/ext/update-20051...l#_Toc119693703 Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted December 12, 2005 Share Posted December 12, 2005 That's due to a change in php5 See: http://www.oscommerce.com/ext/update-20051...l#_Toc119693703 :thumbsup: Thanks alot! Looks like i did the right thing commenting it out. Problem Solved! Now I only need to fix my OS. :D Link to comment Share on other sites More sharing options...
southriver Posted April 27, 2006 Share Posted April 27, 2006 To summarize Jared's solution for newbies. 1) In catalog/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } } You can also apply the same fix to the admin section. 1) In catalog/admin/includes/configure.php ensure that the last line is set to define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' 2) In catalog/admin/includes/functions/sessions.php find: function tep_session_save_path($path = '') { if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } Change to: function tep_session_save_path($path = '') { if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db if ($path != '') { return session_save_path($path); } else { return session_save_path(); } } } Could U tell me what reason detail? :) Link to comment Share on other sites More sharing options...
wondernet Posted May 17, 2006 Share Posted May 17, 2006 thanks, suddenyl came across the error message this morning, used the phpMyAdmin and changed the '/tmp' to 'tmp' as shown above and it worked lovely!! Nicely done chaps. Link to comment Share on other sites More sharing options...
Guest Posted May 27, 2006 Share Posted May 27, 2006 Session Directory SESSION_WRITE_DIRECTORY /tmp Simply change /tmp to tmp This is a very bad idea actually. If the sessions are stored in a file (not in the dbase) removing the front slash makes the path to be relative to the osc catalog. So now your sessions are stored in: catalog\tmp And of course they are accessible and can be downloaded by everyone. In other words Lets see what we have here: http://mysite.com/catalog/tmp/ You should always set the sessions path to be outside your domain with a fully qualified path. So if the root of the site is here /some_home_path/httpdocs/ And the osc catalog /some_home_path/httpdocs/catalog/ You want to set the path outside of all this, to something like: /some_home_path/private_sessions/ This way the session file cannot be accessed from the outside. PS: And the same for any cache files you're possibly using. Link to comment Share on other sites More sharing options...
AlanR Posted May 27, 2006 Author Share Posted May 27, 2006 This is a very bad idea actually. If the sessions are stored in a file (not in the dbase) removing the front slash makes the path to be relative to the osc catalog. So now your sessions are stored in: catalog\tmp Storing sessions in a file is bad practice in general for shared servers, read the first post again... It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory. Complete credit card numbers can be found in those session files. However, if you read through the thread completely you'll see that the real issue is the fact that the directory must be found (or the code modified so as not to check for the directory's existence) or an error will occur. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted May 27, 2006 Share Posted May 27, 2006 doesn't matter if it's shared or dedicated because removing the front slash opens the security hole. Not only the default osc comes with sessions in files, but there are plenty of posts in the forums recommending to use the "tmp" as a solution. And then there is the possibility someone decides to flip the setting from mysql to '' just because the mysql access on his server is slow. Too many cases this can cause problems. It's best to set that path always outside the domain. Link to comment Share on other sites More sharing options...
mcbsolutions Posted May 28, 2006 Share Posted May 28, 2006 doesn't matter if it's shared or dedicated because removing the front slash opens the security hole. Not only the default osc comes with sessions in files, but there are plenty of posts in the forums recommending to use the "tmp" as a solution. And then there is the possibility someone decides to flip the setting from mysql to '' just because the mysql access on his server is slow. Too many cases this can cause problems. It's best to set that path always outside the domain. I have my configure.php set to store sessions in mysql...so this should not be a concern..but I have to agree..you can never have too much security. Even though it probably will never change to store sessions in files...i did set the path to a folder outside the domain instead of in the root public html folder. It doesn't hurt right? :thumbsup: Link to comment Share on other sites More sharing options...
AlanR Posted May 28, 2006 Author Share Posted May 28, 2006 I have my configure.php set to store sessions in mysql...so this should not be a concern..but I have to agree..you can never have too much security. Even though it probably will never change to store sessions in files...i did set the path to a folder outside the domain instead of in the root public html folder. It doesn't hurt right? :thumbsup: I'm not at all sure that enigma is correct in his assertion. Seems to me that if he was correct and removing the slash before tmp directed osC to a directory within user web space we'd have lots of people posting that they had problems with the directory not being found. Directories are not magically created. Nowhere in the post does it suggest creating a tmp directory within user web sapce and no one has ever mentioned the problem of the directory not being found. If it was indeed within user web space the full file system path would need to be specified. Refer back to the thread I linked in my first post where a user (iosysuk) first tracked down the cause of the problem. http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=754745 Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted May 28, 2006 Share Posted May 28, 2006 I'm not at all sure that enigma is correct in his assertion. Seems to me that if he was correct and removing the slash before tmp directed osC to a directory within user web space we'd have lots of people posting that they had problems with the directory not being found. Directories are not magically created. Nowhere in the post does it suggest creating a tmp directory within user web sapce and no one has ever mentioned the problem of the directory not being found. If it was indeed within user web space the full file system path would need to be specified. Refer back to the thread I linked in my first post where a user (iosysuk) first tracked down the cause of the problem. http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=754745 Here is a quote from a post you may want to read: http://www.php.net/manual/en/function.session-save-path.php All users on web hosting should choose an dir below the HTTP directory struct, but within their user area to store the session files. so no you never want to specify sessions or cache files to be stored within the webspage. You should store them in the private user area. Link to comment Share on other sites More sharing options...
AlanR Posted May 28, 2006 Author Share Posted May 28, 2006 Here is a quote from a post you may want to read:http://www.php.net/manual/en/function.session-save-path.php so no you never want to specify sessions or cache files to be stored within the webspage. You should store them in the private user area. That's a given and agreed with. We all know that. My point is that the change from /tmp to tmp does not mean that there is magically a tmp directory in user public web space. The original poster (iosysuk) somewhere found a note which indicated that the top level server tmp file is accessed using tmp rather than /tmp when running under safe mode in more recent versions of php. It's when that change occurred that lots of people started posting the errors this thread addresses. As far as I can see, the change does not switch the directory to any other than the top level server /tmp, it just changes the way php finds that directory. Remember that this has solved the problem many people found and none have ever come back and said they got a "directory not found" error and they never created a new tmp folder. I think you're jumping to a conclusion without basis and possibly confusing people who need to solve the problem this thread addresses. I don't use servers running under safe mode which require this change, if I use /tmp it works just fine so I can't test for this myself. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Guest Posted May 29, 2006 Share Posted May 29, 2006 That's a given and agreed with. We all know that.My point is that the change from /tmp to tmp does not mean that there is magically a tmp directory in user public web space. I did not say the tmp directory is created by your tip. I pointed to one thing only and that is the recommendation changing the session path from /tmp to tmp. It's very easy to replicate the problem it on a unix or windows server. Just follow these steps: 1. Install osc 2. Create a tmp directory at the user space root level. 3. Create a tmp directory at the osc catalog level. 4. Enter the store with your browser do a couple of clicks such that a session file is generated. 5. Check & Verify the session files are now stored at the root user space root tmp folder (and not anywhere else - they should) 6. Goto the osc admin->configuration->sessions, modify the session path from /tmp to tmp, removing the front slash. 7. Erase the session files from the userspace root tmp folder. 8. Repeat step 4. and then check again the userspace root tmp folder as well as the catalog tmp folder. You will notice the sessions are now stored in the catalog tmp folder. In other words the sessions are accessible from the outside. You can also try it on a localserver with windows os by creating the tmp like c:\tmp at the root level. Same thing happens. That was basically my point. Now when someone tries to get rid of the folder warning he may try to create a tmp folder at the catalog level of his store. Thus creating the security hole. Should be explicitly stated to setup a fully qualified path as the session directory outside the webspace. Same can happen with the cache. Link to comment Share on other sites More sharing options...
Guest Posted May 29, 2006 Share Posted May 29, 2006 this is another post where you recommended basically the same thing which I tried to point out: http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=743309 and here is a very old thread that shows about this security risk http://www.oscommerce.com/forums/index.php?showtopic=38136 Link to comment Share on other sites More sharing options...
AlanR Posted May 29, 2006 Author Share Posted May 29, 2006 It's very easy to replicate the problem it on a unix or windows server. Just follow these steps:2. Create a tmp directory at the user space root level. 3. Create a tmp directory at the osc catalog level. Exactly. And completely obvious. Nowhere in this thread is there an instruction to create these directories. I only created this thread as a simple method for pointing newbies to a solution for a problem. All you've succeeded in doing is muddying up what was a simple thread. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
MagazineMonkey Posted March 24, 2007 Share Posted March 24, 2007 Thank you :thumbsup: It worked perfect for me. Rob Exactly. And completely obvious. Nowhere in this thread is there an instruction to create these directories. I only created this thread as a simple method for pointing newbies to a solution for a problem. All you've succeeded in doing is muddying up what was a simple thread. ---------------------- osC common questions Knowledge Base osC Documentation Link to comment Share on other sites More sharing options...
Rod_Miller Posted December 30, 2007 Share Posted December 30, 2007 Thanks a million for this fix, I'd reinstalled it twice but still no joy had to dig a bit to find it but changed it and no problems. Link to comment Share on other sites More sharing options...
Smooth_Groove Posted October 7, 2008 Share Posted October 7, 2008 As a newbie to php, mysql and oscommerce, this forum post helped me out. Big thanks. I edited the following to solve the errors. "You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136. Session Directory SESSION_WRITE_DIRECTORY /tmp Simply change /tmp to tmp " Link to comment Share on other sites More sharing options...
bhavatmaj Posted April 22, 2009 Share Posted April 22, 2009 thanks bhavatmaj Link to comment Share on other sites More sharing options...
satish Posted April 22, 2009 Share Posted April 22, 2009 chek the value of DIR_FS_CATALOG in configure.php Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does. Link to comment Share on other sites More sharing options...
Guest Posted July 22, 2009 Share Posted July 22, 2009 Due to a change by hosts to Safe Mode and/or an upgrade to php many people are getting warnings like this: What's happening is that osc is no longer able to write to /tmp on the server. It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory. function tep_session_save_path($path = '') { if (!empty($path)) { return session_save_path($path); } else { return session_save_path(); } } iosysuk (Ian) tracked down the solution here... You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136. Oh, the joy. I just changed that one line in my supanames panel database editor, and those flipping warnings just VANISHED!!! Thank you soooo much :-D Mel Session Directory SESSION_WRITE_DIRECTORY /tmp Simply change /tmp to tmp Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.