Score:0

Macos changing user in Apache breaks PHP SESSION persistence

dz flag

I am using Macos built-in Apache server locally for development. I have developed a site which uses PHP and relies on session cookies to persist sessions. With the default Apache setup, everything was working fine, and session data was persisted correctly.

For ease of development, I wanted to change the User and Group in Apache to my username and group. I did this by editing /etc/apache2/httpd.conf, per instructions I found on the net. Restarted Apache, and every thing seems to work fine - <?php print `whoami` ?> shows the expected username (mine.)

HOWEVER, I have now started observing that the $_SESSION variable is no longer persisted.

I grepped /etc/php.ini to see if there was a line which included '_www' (the default Apache user and group) thinking that the PHP config had to be changed also to sync things up. However grep returned no lines as such.

Anyone know what is going on here, and how to fix this?

EDIT: I have checked session ids session_id() and verified that the same session ids are being used between pages.

Chris avatar
it flag
Could be a permission issue on the session directory. Do you see something in logs? You could try to set another directory (`session.save_path` in php.ini)
dz flag
Actually the fix turned out to be simpler than that. All I had to do was clear the cookie in my browser :-) Your hint about permissions issue gave the clue I needed. Thanks.
Score:0
dz flag

PHP saves the session file in /var/tmp, eg. sess_1aas3b0jgjbbsoktg3fcehu5je. Session files here are 600 permissions, thus ONLY the owner can read or write to them. The browser saves the session cookie with the same id. Before changing the user and group in the Apache configuration, the session id was written as _www as the owner. After changing the user and group in the Apache config, if the session cookie was still alive in the browser, it would tell PHP to access that id, only now the user is xyz, and it cannot read or write that file.

The simple solution is to clear the session cookie in the browser (or wait until it expires.) PHP will now create a new session file with the new owner xyz.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.