Solved

problem with session permission

Posted on 2013-01-28
21
202 Views
Last Modified: 2013-02-22
hi
i have my own MVC that works perfectly on my local machine (using xampp), but once i have uploaded it to godaddy`s server i get all sorts of problem.
now i get this error:
session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)

when i do ini_get("session.save_path") on my local machine i get: C:\xampp/tmp but on the remote server i get: /tmp.

when i asked godaddy support about it (and i had the feeling that maybe i have uploaded my mvc to the wrong folder but they say that my files are in the right place) they say: we do not help with code issues. i say that it does not seem to me a code issue but they insist.

in my code i have a constant that determine the session placed like that:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window


again,all works on local machine
0
Comment
Question by:derrida
  • 12
  • 5
  • 3
  • +1
21 Comments
 
LVL 13

Expert Comment

by:stergium
ID: 38826029
hello.
Try this one
Create a php5.ini file in your directory and put the following in.

;Save your session path below
sessions.save_path = /tmp

please feedback
0
 
LVL 1

Author Comment

by:derrida
ID: 38826048
hi
the same results:

session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)
0
 
LVL 1

Author Comment

by:derrida
ID: 38826060
i also tried: sessions.save_path =  /xampp/tmp
same result
0
 
LVL 13

Expert Comment

by:stergium
ID: 38826086
try renaming the php5.ini file to php.ini
0
 
LVL 1

Author Comment

by:derrida
ID: 38826091
the same error.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826221
also tried:
 sessions.
and
 session.

no effect
0
 
LVL 13

Expert Comment

by:stergium
ID: 38826252
ok using the
session_save_path('/tmp');

Open in new window

you get the same results?
0
 
LVL 1

Author Comment

by:derrida
ID: 38826269
in the ini file?
0
 
LVL 1

Author Comment

by:derrida
ID: 38826274
i have put it in the session class and got the same error.
0
 
LVL 1

Accepted Solution

by:
derrida earned 0 total points
ID: 38826286
i have changed some permission and it works
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:derrida
ID: 38826547
I've requested that this question be deleted for the following reason:

i have changed some permission and it works  even though that was the first thing i have tried and it did not worked, but now it does
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 38826548
Objecting not because of something the author did incorrectly when closing the question, but because it's most likely the incorrect approach.

1. Don't try to fix this with permissions. It might technically work as a "quick fix", but it also puts your session data into the web-accessible directories, which is a security issue.

2. It looks like you might be using a variation of this code:
http://www.phpkode.com/source/s/secure-session-extended/SecureSession.php4.class.php

In that code, I see that the constructor sets the session_save_path:
ini_set("session.save_path", $DirectoryPath);

This will take precedence over the php.ini changes. You need to change the __SESSION_DIR constant to "/tmp" or create a folder inside YOUR account which is not inside the document root (the web-accessible portion) that only has your own permissions, and then set the __SESSION_DIR to that path.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826738
if i change the SESSION_DIR to "/tmp" i get the error again.
i am not using this class but i did use it to help me with encrypting my session.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826751
i made my session folder 744, is that not safe?
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 38826817
It's probably better to do the latter anyway - to create a folder inside your account. So let's say this is your account directory:

/var/chroot/home/content/b/r/e/me/

...and this is your publically-web-accessible document root:
/var/chroot/home/content/b/r/e/me/html/

Create a folder like:
/var/chroot/home/content/b/r/e/me/sessions/

Make sure that the DOCUMENT_ROOT directory actually does map to the "html" folder, then update your code as such:

Old:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window



New:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
define("__SESSION_DIR",  $_SERVER["DOCUMENT_ROOT"] . "/../sessions";

Open in new window


See if that works properly. If you can make the session folder into 700, or 740, then that is going to be more secure. It all depends on GoDaddy's filesystem permissions setup and whether PHP can access those files. Preferably, you don't want to set the last number to anything but 0, otherwise EVERYONE on the server can have some degree of access to that folder.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 38826854
By the way, 744 breaks down like this:

7 = RWX = Dir/File's owner has (R)ead, (W)rite, and e(X)ecute privileges
4 = R = Dir/File's owner's group has (R)ead privileges
4 = R = Everyone has (R)ead privileges

The tricky part is that while YOUR username might be "johnsmith", that might not be the username that PHP uses when it is running. So when someone accesses a PHP script on your site, it might run under a different username like "www" or "nobody". That means that whatever user account that PHP uses, you will need to give it enough permissions to read and write your session files.

There is an easy way to see the username and group that PHP runs under. Create a folder and give it full 777 permissions. Then use a small PHP script to simply create a file inside that folder:

<?php
file_put_contents("testdir/testfile.txt","testing);
?>

That file's creator / owner will be set to whatever PHP is using, so you can just log into FTP and look at the names to know for sure. Then delete that test folder afterwards.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826857
do not think i have access outside the html folder.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 38826994
I was in a client's GoDaddy account last year and they had that type of directory structure. Are you checking via FTP and trying to change to the parent directory?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38827980
None of the half dozen Godaddy accounts that I currently have access to on shared hosting will allow you to go above the web root.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 38829412
I stand corrected, then. If you're going to store session data inside the document root, try to add an .htaccess file to help protect it from direct access and make the contents of the folder inaccessible via web requests.
0
 
LVL 1

Author Closing Comment

by:derrida
ID: 38917164
since i have no access to outside the root the changing of the permissions is the way it worked
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
mimic google as my ip 11 53
Finding (and replacing) text between two strings in Php 7 50
object oriented programming comparison 5 52
Scope of $_SESSION 17 25
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now