problem with session permission

hi
i have my own MVC that works perfectly on my local machine (using xampp), but once i have uploaded it to godaddy`s server i get all sorts of problem.
now i get this error:
session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)

when i do ini_get("session.save_path") on my local machine i get: C:\xampp/tmp but on the remote server i get: /tmp.

when i asked godaddy support about it (and i had the feeling that maybe i have uploaded my mvc to the wrong folder but they say that my files are in the right place) they say: we do not help with code issues. i say that it does not seem to me a code issue but they insist.

in my code i have a constant that determine the session placed like that:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window


again,all works on local machine
LVL 1
derridaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stergiumCommented:
hello.
Try this one
Create a php5.ini file in your directory and put the following in.

;Save your session path below
sessions.save_path = /tmp

please feedback
0
derridaAuthor Commented:
hi
the same results:

session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)
0
derridaAuthor Commented:
i also tried: sessions.save_path =  /xampp/tmp
same result
0
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

stergiumCommented:
try renaming the php5.ini file to php.ini
0
derridaAuthor Commented:
the same error.
0
derridaAuthor Commented:
also tried:
 sessions.
and
 session.

no effect
0
stergiumCommented:
ok using the
session_save_path('/tmp');

Open in new window

you get the same results?
0
derridaAuthor Commented:
in the ini file?
0
derridaAuthor Commented:
i have put it in the session class and got the same error.
0
derridaAuthor Commented:
i have changed some permission and it works
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
derridaAuthor Commented:
I've requested that this question be deleted for the following reason:

i have changed some permission and it works  even though that was the first thing i have tried and it did not worked, but now it does
0
gr8gonzoConsultantCommented:
Objecting not because of something the author did incorrectly when closing the question, but because it's most likely the incorrect approach.

1. Don't try to fix this with permissions. It might technically work as a "quick fix", but it also puts your session data into the web-accessible directories, which is a security issue.

2. It looks like you might be using a variation of this code:
http://www.phpkode.com/source/s/secure-session-extended/SecureSession.php4.class.php

In that code, I see that the constructor sets the session_save_path:
ini_set("session.save_path", $DirectoryPath);

This will take precedence over the php.ini changes. You need to change the __SESSION_DIR constant to "/tmp" or create a folder inside YOUR account which is not inside the document root (the web-accessible portion) that only has your own permissions, and then set the __SESSION_DIR to that path.
0
derridaAuthor Commented:
if i change the SESSION_DIR to "/tmp" i get the error again.
i am not using this class but i did use it to help me with encrypting my session.
0
derridaAuthor Commented:
i made my session folder 744, is that not safe?
0
gr8gonzoConsultantCommented:
It's probably better to do the latter anyway - to create a folder inside your account. So let's say this is your account directory:

/var/chroot/home/content/b/r/e/me/

...and this is your publically-web-accessible document root:
/var/chroot/home/content/b/r/e/me/html/

Create a folder like:
/var/chroot/home/content/b/r/e/me/sessions/

Make sure that the DOCUMENT_ROOT directory actually does map to the "html" folder, then update your code as such:

Old:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window



New:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
define("__SESSION_DIR",  $_SERVER["DOCUMENT_ROOT"] . "/../sessions";

Open in new window


See if that works properly. If you can make the session folder into 700, or 740, then that is going to be more secure. It all depends on GoDaddy's filesystem permissions setup and whether PHP can access those files. Preferably, you don't want to set the last number to anything but 0, otherwise EVERYONE on the server can have some degree of access to that folder.
0
gr8gonzoConsultantCommented:
By the way, 744 breaks down like this:

7 = RWX = Dir/File's owner has (R)ead, (W)rite, and e(X)ecute privileges
4 = R = Dir/File's owner's group has (R)ead privileges
4 = R = Everyone has (R)ead privileges

The tricky part is that while YOUR username might be "johnsmith", that might not be the username that PHP uses when it is running. So when someone accesses a PHP script on your site, it might run under a different username like "www" or "nobody". That means that whatever user account that PHP uses, you will need to give it enough permissions to read and write your session files.

There is an easy way to see the username and group that PHP runs under. Create a folder and give it full 777 permissions. Then use a small PHP script to simply create a file inside that folder:

<?php
file_put_contents("testdir/testfile.txt","testing);
?>

That file's creator / owner will be set to whatever PHP is using, so you can just log into FTP and look at the names to know for sure. Then delete that test folder afterwards.
0
derridaAuthor Commented:
do not think i have access outside the html folder.
0
gr8gonzoConsultantCommented:
I was in a client's GoDaddy account last year and they had that type of directory structure. Are you checking via FTP and trying to change to the parent directory?
0
Dave BaldwinFixer of ProblemsCommented:
None of the half dozen Godaddy accounts that I currently have access to on shared hosting will allow you to go above the web root.
0
gr8gonzoConsultantCommented:
I stand corrected, then. If you're going to store session data inside the document root, try to add an .htaccess file to help protect it from direct access and make the contents of the folder inaccessible via web requests.
0
derridaAuthor Commented:
since i have no access to outside the root the changing of the permissions is the way it worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.