81

I recently upgraded to PHP 5.3 and since then I get (sporadic) error messages which indicate Apache (or may be the cleaner of the session files) has no permissions to the folder where the sessions are stored.
This happens randomly and can't be reproduced with exact steps, which led me to guess it is the session cleaner.
Any one has any experience with such errors?

The error message (which is fired on the session_start() line) is:

ps_files_cleanup_dir: opendir(/var/lib/php5) failed: Permission denied.

ls -ltr on the session directory gives:

drwx-wx-wt  2 root          root          4096 2010-05-25 12:39 php5

Inside this directory I do see session files owned by www-data which is my Apache, and the app does work fine. Which makes me wonder, under which user does the session GC runs?

Itay Moav -Malimovka
  • 52,579
  • 61
  • 190
  • 278
  • I did, but not on 5.3. Turned out to be a permissions error that had filtered down to the session save path. I assume you've checked permissions? – Jarrod Nettles May 25 '10 at 13:11
  • @Jarrod I see www-data can read and write to that folder (which has w & r for everybody right now ,user,group and world) should I check something else? – Itay Moav -Malimovka May 25 '10 at 13:14
  • I'm guessing the reason it happens sporadically is that the error occurs when the session garbage collector is run, which I think by default has a 1% chance of running per session initialization. Have you made any changes to php.ini concerning sessions? What's outside the default here? Check the owner of the session folder, after that I'm at a loss without seeing the .ini or errors. – Jarrod Nettles May 25 '10 at 13:51
  • The owner is root, the sessions are created by www-data, everybody has access to this folder. I'll go over the ini settings one by one, look for something suspicious. – Itay Moav -Malimovka May 25 '10 at 14:19
  • ps_files_cleanup_dir: opendir(/var/lib/php5) failed: Permission denied ( – Itay Moav -Malimovka May 25 '10 at 14:37
  • @Itay Moav: "www-data can read and write to that folder" - does it have execute? And have you checked thats the webserver uid? Have you tried creating a file in that dir (or filesystem) as that uid? – symcbean May 25 '10 at 15:40
  • no execute permissions, but it shouldn't have those. I see session files being created there correctly. www-data is the webserver user – Itay Moav -Malimovka May 25 '10 at 16:58

4 Answers4

121

The fix: In your php.ini set session.gc_probability to 0

The cause I believe I found the answer here http://somethingemporium.com/2007/06/obscure-error-with-php5-on-debian-ubuntu-session-phpini-garbage

Essentially, the garbage collection is set up to be done by cron jobs on some systems (i.e. Ubuntu/Debian). Some php ini executables like php-cli also try to do garbage collection and that results in the error you got.

Diwant Vaidya
  • 1,326
  • 1
  • 8
  • 2
  • 7
    I'm experiencing this issue on Ubuntu 10.04 as well, but upon checking the php.ini I found `session.gc_probability` already set to `0`. – Jonathan Feb 25 '13 at 20:21
  • 5
    @Jonathan - You'll probably find that your application is setting the value then. – SynackSA Mar 14 '13 at 08:10
  • 4
    @SynackSA Oddly enough, it's when I create a custom, site specific php.ini file, that's when the `session.gc_probability` triggers to 1. This happened even when there are no settings in the php.ini file **whatsoever**! I'm running suphp on Ubuntu, Apache 2.2. I wonder if that is some type of bug. Anyway, adding `session.gc_probability = 0` to my custom, site specific php.ini file seems to resolve the issue. – Jonathan Apr 05 '13 at 21:42
  • 2
    @Jonathan That's the way it's suppose to work, as the default value is 1 – ROunofF Jan 16 '15 at 15:02
  • 2
    This disables session garbage collection. You should probably want to check if there is actually a cron cleaning up your sessions. – hansgoed Feb 01 '16 at 13:31
23

This seems to be a typical error on Ubuntu servers (I'm using Lucid LTS). The default permissions of the /var/lib/php5 directory there are 

drwx-wx-wt  2 root     root     4096 2011-11-04 02:09 php5

so it can be written but not read by the web server, I guess that explains the errors.

As Ubuntu has it's own garbage cleaning via cron (/etc/cron.d/php5), it's probably best to disable php's garbage collection as suggested above by Diwant Vaidya.

session.gc_probability = 0

There's actually a reason the session folder should not be world readable - as the PHP Manual says:

If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.

sanmai
  • 29,083
  • 12
  • 64
  • 76
Marie Fischer
  • 811
  • 5
  • 5
2

The solution I currently use (which I am not sure is the correct one) is to give ownership on the session folder to the Apache user (www-data in my case).

Itay Moav -Malimovka
  • 52,579
  • 61
  • 190
  • 278
2

This issue has been bugging me for a while. I changed the value as suggested in php.ini and the issue kept occurring. I found the same config value in my index.php and also private/Zend/session.php. So it's worth looking a bit deeper if the issue keeps occurring. I hope this is useful for someone.

ChrisFNZ
  • 597
  • 1
  • 4
  • 21