Guest Posted March 22, 2003 Share Posted March 22, 2003 Hi, Can someone please explain where these sessions are suppose to be stored, are we suppose to delete them each day, what permission should the folder be, etc.? I had a folder called sessions in my public_html folder and was told that was a security risk so I moved it below the public_html folder in the root. The only way I could get it to work was to set the folder permission to 777 but that seems kindof funny since the other folders in that area are not 777. I have tried 755 and still the warning that it cannot write to the folder. Any help in understanding this is greatly appreciated. Thanks! Link to comment Share on other sites More sharing options...
toolcrazy Posted March 22, 2003 Share Posted March 22, 2003 According to Mattice. He prefers to store sessions into the database. He believed that this was the faster method. But, this is still under strong debate. I have moved my sessions to the database, mainly becuase I don't have the rights to creat dir outside of httpdocs. Steve ------------------------- Link to comment Share on other sites More sharing options...
mattice Posted March 22, 2003 Share Posted March 22, 2003 A session is a unique number assigned to a client (visitor). The unique number is also used as a filename in /tmp Because the client has the number on his URL (or in a cookie) you can keep track of what he/she wants /does by writing data to the session file. That data is also available in your scripts. So in order for your sessions to work (file based) the php script (which is ran by the webserver) needs write access to a directory (like /tmp). If this directory lives WITHIN your document root (remotely accessible by a browser) it is a security threat as people can actually readother peoples session files in their browser. Consider this: http://www.yoursite.com/sessions/ If you had directory listings on I would get a nice list of all current sessions on your site on that moment. If I would click one it would show me the contents and if I would copy it and use it as my own session I could impersonate that specific user... (session hijacking) If it lives OUTSIDE the doc root you can not reach it from the outside world. The webserver itself can. So find out who your webserver runs as (linux is ussually nobody from group nobody (repeating myself here Modom :D) and change ownership (chown) of the dir to that. Next you chmod it 700 which makes it only accessible to that user/group. My preference is indeed storing them in mySQL but I know other people prefer files. It is up to you. The mySQL option is offered for shared hosting accounts where loads of people use the /tmp directory making the chance of session hijacking or session mistakes bigger. HTH Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Guest Posted March 22, 2003 Share Posted March 22, 2003 Hi Steve, I changed the define('STORE_SESSIONS', 'mysql') in catalog/includes/configure.php and admin/includes/configure.php to mysql. I am getting this error: Fatal error: session_start() [function.session-start]: Failed to initialize session module in /home/wizardwo/public_html/catalog/includes/functions/sessions.php on line 67 In the admin at first I had the sessions directory listed under the configuration. Then I removed the listing completely in admin and am still getting this error. Link to comment Share on other sites More sharing options...
Guest Posted March 22, 2003 Share Posted March 22, 2003 Mattice, If I store the sessions in mysql what settings do I set in the admin for sessions? It is my server running linux and I put the sessions directory outside of the public directory in each person's account and have to set the permissions to 777 otherwise I get this error: Warning: I am not able to write to the sessions directory: /home/wizardwo/sessions. Sessions will not work until the right user permissions are set. I tried 700 and 755. What is the safest thing for me to do and are these sessions suppose to be deleted or never be deleted? Link to comment Share on other sites More sharing options...
toolcrazy Posted March 23, 2003 Share Posted March 23, 2003 Hi Steve, I changed the define('STORE_SESSIONS', 'mysql') in catalog/includes/configure.php and admin/includes/configure.php to mysql. I am getting this error: Fatal error: session_start() [function.session-start]: Failed to initialize session module in /home/wizardwo/public_html/catalog/includes/functions/sessions.php on line 67 In the admin at first I had the sessions directory listed under the configuration. Then I removed the listing completely in admin and am still getting this error. You may want to set your sessions auto start in your PHP.ini file to off. I think this is what is causing the error. And put back the define back into the admin configure.php. Steve ------------------------- Link to comment Share on other sites More sharing options...
Guest Posted March 23, 2003 Share Posted March 23, 2003 are the sessions suppose to be deleted periodically? I changed both the configure.php files and removed mysql. I understand what the sessions do but don't understand about these settings and whether to delete the sessions or not. Seems like they would take up a lot of space on someone's server. Link to comment Share on other sites More sharing options...
Guest Posted April 5, 2003 Share Posted April 5, 2003 I've been battling this problem for some time and had been pulling my hair out. Just the lower right corner info boxes and the footer wouldn't load, and it was sporadic. Sometimes it was worse, and took hitting refresh five or six times to fix. I had my admin bounce the PHP daemon, and it didn't help. I had them bounce the Apache daemon, and that helped a bit (only had to hit refresh once), but the problem lingered. Then I set the store_sessions='mysql' to be store_sessions='' and voila! I believe this option has to be configured according to individual server configs, as we know there are few that are alike. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.