This is very wrong to recommend:
; NOTE: If you are using the subdirectory option for storing session files
[...]
; find /path/to/sessions -cmin +24 | xargs rm
because it is prone to '\n' attack. You can see the security
considerations of GNU find.
Much better would be:
find /path/to/sessions -cmin +24 -delete
or at least
find /path/to/sessions -cmin +24 -execdir rm "{}" \; (GNU find)
The most error-prone way is something we cooked up in Debian:
find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f
-ignore_readdir_race -cmin +24 ! -execdir fuser -s {} 2>/dev/null \;
-delete
which depends on fuser at least version 22.15 (which has removed
fork() call which was able to swamp up whole system with zombies).
The fuser call checks if the session file is still in use, because the
script was deleting still active sessions opened 24+ mins ago.
O.
--
Ondřej Surý <ond...@sury.org>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
