Solved

problem with session permission

Posted on 2013-01-28
21
200 Views
Last Modified: 2013-02-22
hi
i have my own MVC that works perfectly on my local machine (using xampp), but once i have uploaded it to godaddy`s server i get all sorts of problem.
now i get this error:
session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)

when i do ini_get("session.save_path") on my local machine i get: C:\xampp/tmp but on the remote server i get: /tmp.

when i asked godaddy support about it (and i had the feeling that maybe i have uploaded my mvc to the wrong folder but they say that my files are in the right place) they say: we do not help with code issues. i say that it does not seem to me a code issue but they insist.

in my code i have a constant that determine the session placed like that:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window


again,all works on local machine
0
Comment
Question by:derrida
  • 12
  • 5
  • 3
  • +1
21 Comments
 
LVL 13

Expert Comment

by:stergium
Comment Utility
hello.
Try this one
Create a php5.ini file in your directory and put the following in.

;Save your session path below
sessions.save_path = /tmp

please feedback
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
hi
the same results:

session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
i also tried: sessions.save_path =  /xampp/tmp
same result
0
 
LVL 13

Expert Comment

by:stergium
Comment Utility
try renaming the php5.ini file to php.ini
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
the same error.
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
also tried:
 sessions.
and
 session.

no effect
0
 
LVL 13

Expert Comment

by:stergium
Comment Utility
ok using the
session_save_path('/tmp');

Open in new window

you get the same results?
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
in the ini file?
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
i have put it in the session class and got the same error.
0
 
LVL 1

Accepted Solution

by:
derrida earned 0 total points
Comment Utility
i have changed some permission and it works
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:derrida
Comment Utility
I've requested that this question be deleted for the following reason:

i have changed some permission and it works  even though that was the first thing i have tried and it did not worked, but now it does
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Objecting not because of something the author did incorrectly when closing the question, but because it's most likely the incorrect approach.

1. Don't try to fix this with permissions. It might technically work as a "quick fix", but it also puts your session data into the web-accessible directories, which is a security issue.

2. It looks like you might be using a variation of this code:
http://www.phpkode.com/source/s/secure-session-extended/SecureSession.php4.class.php

In that code, I see that the constructor sets the session_save_path:
ini_set("session.save_path", $DirectoryPath);

This will take precedence over the php.ini changes. You need to change the __SESSION_DIR constant to "/tmp" or create a folder inside YOUR account which is not inside the document root (the web-accessible portion) that only has your own permissions, and then set the __SESSION_DIR to that path.
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
if i change the SESSION_DIR to "/tmp" i get the error again.
i am not using this class but i did use it to help me with encrypting my session.
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
i made my session folder 744, is that not safe?
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
It's probably better to do the latter anyway - to create a folder inside your account. So let's say this is your account directory:

/var/chroot/home/content/b/r/e/me/

...and this is your publically-web-accessible document root:
/var/chroot/home/content/b/r/e/me/html/

Create a folder like:
/var/chroot/home/content/b/r/e/me/sessions/

Make sure that the DOCUMENT_ROOT directory actually does map to the "html" folder, then update your code as such:

Old:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window



New:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
define("__SESSION_DIR",  $_SERVER["DOCUMENT_ROOT"] . "/../sessions";

Open in new window


See if that works properly. If you can make the session folder into 700, or 740, then that is going to be more secure. It all depends on GoDaddy's filesystem permissions setup and whether PHP can access those files. Preferably, you don't want to set the last number to anything but 0, otherwise EVERYONE on the server can have some degree of access to that folder.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
By the way, 744 breaks down like this:

7 = RWX = Dir/File's owner has (R)ead, (W)rite, and e(X)ecute privileges
4 = R = Dir/File's owner's group has (R)ead privileges
4 = R = Everyone has (R)ead privileges

The tricky part is that while YOUR username might be "johnsmith", that might not be the username that PHP uses when it is running. So when someone accesses a PHP script on your site, it might run under a different username like "www" or "nobody". That means that whatever user account that PHP uses, you will need to give it enough permissions to read and write your session files.

There is an easy way to see the username and group that PHP runs under. Create a folder and give it full 777 permissions. Then use a small PHP script to simply create a file inside that folder:

<?php
file_put_contents("testdir/testfile.txt","testing);
?>

That file's creator / owner will be set to whatever PHP is using, so you can just log into FTP and look at the names to know for sure. Then delete that test folder afterwards.
0
 
LVL 1

Author Comment

by:derrida
Comment Utility
do not think i have access outside the html folder.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
I was in a client's GoDaddy account last year and they had that type of directory structure. Are you checking via FTP and trying to change to the parent directory?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
None of the half dozen Godaddy accounts that I currently have access to on shared hosting will allow you to go above the web root.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
I stand corrected, then. If you're going to store session data inside the document root, try to add an .htaccess file to help protect it from direct access and make the contents of the folder inaccessible via web requests.
0
 
LVL 1

Author Closing Comment

by:derrida
Comment Utility
since i have no access to outside the root the changing of the permissions is the way it worked
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
This article discusses how to create an extensible mechanism for linked drop downs.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now