DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

session.save_path is not set, or how to store sessions securely with directadmin

| 14:28:53 10.08.2012

If you get a error like this: "PHP SAFE MODE Restriction in effect" or this "session.save_path is not set", the solution might be as following:

Make sure, you've got session.save_path uncomment in your PHP.INI file

grep session.save_path /usr/local/lib/php.ini

and

grep session.save_path /usr/local/etc/php5/cgi/php.ini

you should see something like this:

session.save_path = "/tmp"

If you see the different, then update it and restart apache.

Individual session.save_path for users  

Case: Apache + PHP as mod_php

It was mentioned somewhere that to have session.save_path pointed into /tmp is not very secure, as a hacker with a hosting account on your server might hijack a session file from a neighbor site, if he (or she) manages to get list of files located in /tmp. To prevent this you might want to store sessions under user's home directory, e.g.

session.save_path=/home/userbob/tmps_sessions 

to make it work, you should set a directive for every virtual host, open corresponding template file and find the line

php_admin_flag engine |PHP|

and add below it a new line with

php_admin_value session.save_path=|HOME|/tmps_sessions

This way you should update the following files:

/usr/local/directadmin/data/templates/custom/virtual_host2.conf
/usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf 
/usr/local/directadmin/data/templates/custom/virtual_host2_secure_sub.conf 
/usr/local/directadmin/data/templates/custom/virtual_host2_sub.conf

You should make the directory automatically created on user adding, us this script to achieve the desired:

/usr/local/directadmin/scripts/custom/user_create_post.sh

and add lines

DIR=/home/$username
mkdir "$DIR/tmp_sessions"
chown $username:$username "$DIR/tmp_sessions"
chmod 700 "$DIR/tmp_sessions"

All new accounts will have these updates by default since you've done it. You might need to update your current users, in order to do this run:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

and this command to create necessary directories:

cd /home; for user in `ls -1d *`; do echo $user; mkdir /home/$user/tmp_sessions; chmod 700 /home/$user/tmp_sessions; chown $user:$user /home/$user/tmp_sessions; done;

By the way, the fact it is insecure to store PHP sessions in /tmp directory might be the reason why it's commented in the default PHP.INI and why some PHP scripts define their own session storage.

Related to:

Tags: Information directadmin How-To session.save_path PHP mod_php 
←  Protecting IP from hijacking from inside  | Start |  Directadmin + Exim + Dovecot + Sieve + Roundcube  →
About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




SEE HOW WE CAN HELP!
All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition