Location for Session Files in Apache/Php

Location for session files in Apache/PHP

The default session.save_path is set to "" which will evaluate to your system's temp directory. See this comment at https://bugs.php.net/bug.php?id=26757 stating:

The new default for save_path in upcoming releaess (sic) will be the empty string, which causes the temporary directory to be probed.

You can use sys_get_temp_dir to return the directory path used for temporary files

To find the current session save path, you can use

  • session_save_path() — Get and/or set the current session save path

Refer to this answer to find out what the temp path is when this function returns an empty string.

Can you help me locate PHP session files?

session_save_path() - they have no extension, they are long string UID named files.

How to get my session to write to apache

Try changing your session save path in your php config file, /tmp is a good location.


session.save_path = /tmp


cleanup php session files

To handle session properly, take a look at http://php.net/manual/en/session.configuration.php.

There you'll find these variables:

  • session.gc_probability
  • session.gc_divisor
  • session.gc_maxlifetime

These control the garbage collector (GC) probability of running with each page request.

You could set those with ini_set() at the beginning of your script or .htaccess file so you get certainty to some extent they will get deleted sometime.

Handle lots of session files with apache2 and php

Sometimes the solution is easier than it might appear at first. Somehow I thought the PHP has to handle and manage the apache requests to the sessions directory tree. However the Apache does it on its own once the session:save_path has been changed.

1.) call this (modified) script ( http://snipplr.com/view/27710/modfilessh-php/ ) once via ssh:

*sh path/to/script/mod_files.sh path/to/sessions depth* (in my case: "mod_files.sh /tmp/sessions 1"

2.) doublecheck chown rights of new sessions directory tree

3.) change "session.save_path" to "1;/tmp/sessions"

Thanks for your help nevertheless!

Permissions to PHP session files

I just had this same problem. It appears to be a problem with the way Apache returns session data for IE7 and IE8, but most likely because IE7 and IE8 have an improper way of announcing the domain they're requesting session data for.

Here's my scenario:

Running Apache 1.3 with two domains, each has their own account with their own users:

Domain: mycompany.com 
Session path: /tmp/
Webserver user: mycompanycom

Domain: support.mycompany.com
Session path: /tmp/
Webserver user: nobody

Here is what happens during a normal visit with Firefox/Safari/Chrome:

  1. I visit mycompany.com and session file is created in /tmp/ owned by the user mycompanycom.
  2. I then visit support.mycompany.com, and second session file is created in /tmp/ owned by user nobody.
  3. Apache doesn't get confused and the correct session files are returned

However, here's what happens during a visit with IE7 and IE8:

  1. I visit mycompany.com and session file is created in /tmp/ owned by the user mycompanycom.
  2. I then visit support.mycompany.com and, instead of creating second session file in /tmp/ owned by the user nobody, Apache tries to return the session file for mycompany.com.
  3. The session file for mycompany.com is owned by the user mycompanycom, so the web server, running as user nobody cannot access it. Permission is denied.

The solution was, as others have suggested, to create a separate directory in /tmp/ to separate the stored session data for support.mycompany.com:

mkdir /tmp/mycompany
chown nobody:nobody /tmp/mycompany

I then added the following to an .htaccess file in the root web directory for support.mycompany.com:

php_value session.save_path '/tmp/mycompany'

And finally, I removed any existing session data in /tmp/ to ensure the new session path would get used immediately:

rm -f /tmp/sess_*

And that's it! Now IE7 and IE8 work properly.

I'm fairly certain this problem has to do with how IE7 and IE8 request session data from Apache. They probably first request session data for mycompany.com and THEN request session data for support.mycompany.com, even though the latter was the only doman entered in the address bar.

Related Topics

Leave a reply