Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

problem with session permission

Posted on 2013-01-28
21
Medium Priority
?
212 Views
Last Modified: 2013-02-22
hi
i have my own MVC that works perfectly on my local machine (using xampp), but once i have uploaded it to godaddy`s server i get all sorts of problem.
now i get this error:
session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)

when i do ini_get("session.save_path") on my local machine i get: C:\xampp/tmp but on the remote server i get: /tmp.

when i asked godaddy support about it (and i had the feeling that maybe i have uploaded my mvc to the wrong folder but they say that my files are in the right place) they say: we do not help with code issues. i say that it does not seem to me a code issue but they insist.

in my code i have a constant that determine the session placed like that:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window


again,all works on local machine
0
Comment
Question by:derrida
  • 12
  • 5
  • 3
  • +1
21 Comments
 
LVL 13

Expert Comment

by:stergium
ID: 38826029
hello.
Try this one
Create a php5.ini file in your directory and put the following in.

;Save your session path below
sessions.save_path = /tmp

please feedback
0
 
LVL 1

Author Comment

by:derrida
ID: 38826048
hi
the same results:

session_start() [function.session-start]: open(/var/chroot/home/content/b/r/e/me/html/bd4fbf5fde58e7f20593bb6a6241a63a/sess_gkr0b3cfr0ag4slnhns93b9no1, O_RDWR) failed: Permission denied (13)
0
 
LVL 1

Author Comment

by:derrida
ID: 38826060
i also tried: sessions.save_path =  /xampp/tmp
same result
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:stergium
ID: 38826086
try renaming the php5.ini file to php.ini
0
 
LVL 1

Author Comment

by:derrida
ID: 38826091
the same error.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826221
also tried:
 sessions.
and
 session.

no effect
0
 
LVL 13

Expert Comment

by:stergium
ID: 38826252
ok using the
session_save_path('/tmp');

Open in new window

you get the same results?
0
 
LVL 1

Author Comment

by:derrida
ID: 38826269
in the ini file?
0
 
LVL 1

Author Comment

by:derrida
ID: 38826274
i have put it in the session class and got the same error.
0
 
LVL 1

Accepted Solution

by:
derrida earned 0 total points
ID: 38826286
i have changed some permission and it works
0
 
LVL 1

Author Comment

by:derrida
ID: 38826547
I've requested that this question be deleted for the following reason:

i have changed some permission and it works  even though that was the first thing i have tried and it did not worked, but now it does
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 38826548
Objecting not because of something the author did incorrectly when closing the question, but because it's most likely the incorrect approach.

1. Don't try to fix this with permissions. It might technically work as a "quick fix", but it also puts your session data into the web-accessible directories, which is a security issue.

2. It looks like you might be using a variation of this code:
http://www.phpkode.com/source/s/secure-session-extended/SecureSession.php4.class.php

In that code, I see that the constructor sets the session_save_path:
ini_set("session.save_path", $DirectoryPath);

This will take precedence over the php.ini changes. You need to change the __SESSION_DIR constant to "/tmp" or create a folder inside YOUR account which is not inside the document root (the web-accessible portion) that only has your own permissions, and then set the __SESSION_DIR to that path.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826738
if i change the SESSION_DIR to "/tmp" i get the error again.
i am not using this class but i did use it to help me with encrypting my session.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826751
i made my session folder 744, is that not safe?
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 38826817
It's probably better to do the latter anyway - to create a folder inside your account. So let's say this is your account directory:

/var/chroot/home/content/b/r/e/me/

...and this is your publically-web-accessible document root:
/var/chroot/home/content/b/r/e/me/html/

Create a folder like:
/var/chroot/home/content/b/r/e/me/sessions/

Make sure that the DOCUMENT_ROOT directory actually does map to the "html" folder, then update your code as such:

Old:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
$sessionfoldername = md5("_sessiondata");
define("__SESSION_DIR", str_replace(".", "_", $_SERVER['HTTP_HOST']) . $sessionfoldername);

Open in new window



New:
define("__SESSION_SALT", $_SERVER['HTTP_HOST']);
define("__SESSION_NAME", preg_replace("/[^a-z0-9]/i", "", $_SERVER['HTTP_HOST']));
define("__SESSION_DIR",  $_SERVER["DOCUMENT_ROOT"] . "/../sessions";

Open in new window


See if that works properly. If you can make the session folder into 700, or 740, then that is going to be more secure. It all depends on GoDaddy's filesystem permissions setup and whether PHP can access those files. Preferably, you don't want to set the last number to anything but 0, otherwise EVERYONE on the server can have some degree of access to that folder.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 38826854
By the way, 744 breaks down like this:

7 = RWX = Dir/File's owner has (R)ead, (W)rite, and e(X)ecute privileges
4 = R = Dir/File's owner's group has (R)ead privileges
4 = R = Everyone has (R)ead privileges

The tricky part is that while YOUR username might be "johnsmith", that might not be the username that PHP uses when it is running. So when someone accesses a PHP script on your site, it might run under a different username like "www" or "nobody". That means that whatever user account that PHP uses, you will need to give it enough permissions to read and write your session files.

There is an easy way to see the username and group that PHP runs under. Create a folder and give it full 777 permissions. Then use a small PHP script to simply create a file inside that folder:

<?php
file_put_contents("testdir/testfile.txt","testing);
?>

That file's creator / owner will be set to whatever PHP is using, so you can just log into FTP and look at the names to know for sure. Then delete that test folder afterwards.
0
 
LVL 1

Author Comment

by:derrida
ID: 38826857
do not think i have access outside the html folder.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 38826994
I was in a client's GoDaddy account last year and they had that type of directory structure. Are you checking via FTP and trying to change to the parent directory?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38827980
None of the half dozen Godaddy accounts that I currently have access to on shared hosting will allow you to go above the web root.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 38829412
I stand corrected, then. If you're going to store session data inside the document root, try to add an .htaccess file to help protect it from direct access and make the contents of the folder inaccessible via web requests.
0
 
LVL 1

Author Closing Comment

by:derrida
ID: 38917164
since i have no access to outside the root the changing of the permissions is the way it worked
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question