How could I set default permissions for session files so that both apache-php-process and some-other-user's-php-process can rw them? The session is created by some-other-user's-php-process and after that apache-php-process should be able to read and write it.
Now the default permission for session files is 600. It should be 660 or 666. Where and how can I set this permission (eg. httpd.cond or php.ini)? So that no need to use chmod every time after session_start().
The server is my own, so no need to avoid this for security reasons.
Apache version is 2.2.15, php is 5.3.3, server is Centos6 64-bit.
And because first question is: why do you need this, I answer to this first: I have build few sites with suphp on the server and the logic is build over this, so there are tens of calls to session_start() and all php-processes are owned by some specific user. I have a getimage.php, which loads images, in some page there can be tens or hundreds of thumbnails on the same page (I want it this way!). Although I have 100M internet, the page loads slowly because of every call to getimage.php, new php-process is started. getimage.php uses sessions for restricting user access to specific images. I tested to create an Apache handler for php and use different file extension for this: getimage.apachephp. The speedup was huge! But the problem is that I have manually chmod the session file to allow apache-php-process to access the session file. And I thought that if chmod could be made automatically in every session file creation, the process becomes more meaningfull.
EDIT:
One possible solution is to use
session_save_path("0;666;/path/to/sessfile");
umask(0);
session_start();
Or if you want to avoid 666 and use a little more secure 660, both apache-user and suphp-user have to belong into same group eg. web and after session is created to change group of created session file to web. I selected 666 for simplicity.
No comments:
Post a Comment