zq29 Posted August 10, 2008 Share Posted August 10, 2008 We have a dedicated server managed by our hosting company which was recently migrated from a FreeBSD/PHP4/MySQL4 box to an Ubuntu/PHP5/MySQL5 box. It appears that all of the accounts on the new server, assumed to be created as virtual hosts, are all trying to share the same PHP session files. For example, I have created a basic script as follows: <?php session_start(); $_SESSION['test'] = "test"; echo $_SESSION['test']; ?> Now, the first virtual host I execute the script on returns 'test' as it should, but each subsequent execution on a different virtual host returns an error like so: Warning: session_start() [function.session-start]: open(/tmp/sess_3373fb7c1f4650a35d7f417419bbfd6b, O_RDWR) failed: Permission denied (13) in /home/f/o/foo/public_html/test.php on line 2 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/f/o/foo/public_html/test.php:2) in /home/f/o/foo/public_html/test.php on line 2 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/f/o/foo/public_html/test.php:2) in /home/f/o/foo/public_html/test.php on line 2 Obviously the path to test.php is different on each virtual host, but the path to the session file (/tmp/sess_3373fb7c1f4650a35d7f417419bbfd6b) is the same. Running ls -la /tmp points out that /tmp/sess_3373fb7c1f4650a35d7f417419bbfd6b has a uid that belongs to the first virtual host that executed the script. My hosting company can't find anything wrong, and are telling me that my scripts are trying to access sessions created by other accounts, but my test script is just trying to create a session, not pick up a session previously created by another account, as you can see above. Does anyone have any ideas of what I could suggest to my hosting company, or where I might be looking to solve this problem? Many thanks. Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2008 Share Posted August 11, 2008 If it's a VPS you can just change up the perms of /tmp. If not, you'll have to either get your host to change them, or use your own session path. (Either change the ini setting [not sure if you can on the fly...] where sessions are saved, or use your own session handler.) Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 11, 2008 Author Share Posted August 11, 2008 This is one of our dedicated servers, I have chroot access to it. /tmp is writable by the account users, but the problem is, accounts are trying to share the same sessions when they shouldn't be. On the server we migrated from the session save path was /tmp and each account created and used its own sessions in that directory - I'm sure there must be a configuration problem somewhere... There are about 50 websites on this server, rewriting the code on each of them isn't really a favorable option when it sounds like a config issue. Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2008 Share Posted August 11, 2008 Hrmmm weird. So you're going from like... something.com to somethingelse.com, and it's keeping the same session id? That sounds weird. The session cookie should only work for the domain on which it was created. Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 11, 2008 Author Share Posted August 11, 2008 That sounds weird. The session cookie should only work for the domain on which it was created. Oh, it's interesting that you say domain as my nameservers are still pointing to the old server until we're happy with the new one, so I have been accessing each account from an IP address and directory, i.e. http://123.123.123.123:81/foo/ But I have tested the same access method on our other server (http://321.321.321.321:81/bar/) and the sessions are working fine... Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2008 Share Posted August 11, 2008 Try making entries in your hosts file (if you're on Windows), and see if the same problem is there with domain names. Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 11, 2008 Author Share Posted August 11, 2008 I use Linux, though we use a hosts file too I have just attributed two unused domains to the accounts, and accessing them through the domains doesn't produce the error, everything works as it should. But it should also work when accessing the accounts by the IP - I have reported my findings to my host, hopefully this might help them figure it out. Cheers for your input Corbin. Quote Link to comment Share on other sites More sharing options...
trq Posted August 11, 2008 Share Posted August 11, 2008 But it should also work when accessing the accounts by the IP I dont think so. http://321.321.321.321:81/foo and http://321.321.321.321:81/bar are actually refered to by the same ip address so apache thinks it safe to share the sessions. Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 11, 2008 Author Share Posted August 11, 2008 But it should also work when accessing the accounts by the IP I dont think so. http://321.321.321.321:81/foo and http://321.321.321.321:81/bar are actually refered to by the same ip address so apache thinks it safe to share the sessions. That was my initial thought, but some how, one of our other servers appears to figure it out somehow. Not that it's an issue now that I have solved to problem, no one is going to access any of the sites by the server IP anyway... Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2008 Share Posted August 11, 2008 "That was my initial thought, but some how, one of our other servers appears to figure it out somehow. Not that it's an issue now that I have solved to problem, no one is going to access any of the sites by the server IP anyway..." The other server probably has looser permissions on tmp. Quote Link to comment Share on other sites More sharing options...
AjBaz100 Posted August 21, 2008 Share Posted August 21, 2008 I had a similar problem, but found that Firefox shares a session unless you start it in a different profile for each instance. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.