Hi. Just for the records, I'm uploading now a new package for Debian (-5), which will include a crontab to purge files older than 1 hour (the default sessions expiration delay in Debian package).
We keep files in a separate dir so that Admin / View sessions works (cause the patch fixing bug https://savannah.gnu.org/bugs/?23386 is included too ;) by browsing the directory, and stick to a crontab so that we don't differ too much from PHP5... the GC stuff may be interesting, but we may use it someday if PHP5 packages in Debian do so also by default (ne need to test new features). Thanks for your help, guys. Best regards, Le jeudi 08 mai 2008 à 05:15 +1000, Dave Hall a écrit : > On Wed, 2008-05-07 at 07:11 -0500, Chris Weiss wrote: > > On Wed, May 7, 2008 at 5:15 AM, Olivier Berger > > <[EMAIL PROTECTED]> wrote: > > > Hello. > > > > > > I'm considering the right way to manage the PHP session files on > > > standard installations in Debian. > > > > > > Maybe you can help, as I'm not really expert in PHP. > > > > > > In Debian's default configuration, phpGroupware uses session files, and > > > the session.save_path is directed to a specific directory, separate from > > > the PHP5 default (/var/lib/phpgroupware/sessions instead of the > > > default /var/lib/php5/ in Debian). > > > > > > I guess such a separate dir was a way to prevent collision with other > > > applicatons which may lead to security issues as phpGroupware sessions > > > may contain sensitive information. > > > > > > Would this be a big risk to store them in the same place as other PHP > > > apps installed on the same server ? > > > > > > Would you recommend any policy ? > > > > > > You'll find bellow a bug-report about these files not being purged ATM > > > in Debian, btw ;) > > > > > > > it's always been my impression that php's garbage collection, not a > > cron job, handles removing old session files. maybe what we have a > > bug in php itself... > > In Debian it is a cron job. See below > > I recommend a separate directory, just for security, but it probably > doesn't provide much benefit, cos if you can read the session files you > can read the header.inc.php, and so get the dd access credentials. > > I am happy enough to use the common session path if that is easier for > you (and Debian). > > Cheers > > Dave > > $ cat /etc/cron.d/php5 > # /etc/cron.d/php5: crontab fragment for php5 > # This purges session files older than X, where X is defined in seconds > # as the largest value of session.gc_maxlifetime from all your php.ini > # files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime > > # Look for and purge old sessions every 30 minutes > 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && > [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin > +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm > > > > > _______________________________________________ > phpGroupWare-developers mailing list > phpGroupWare-developers@gnu.org > http://lists.gnu.org/mailman/listinfo/phpgroupware-developers -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry _______________________________________________ phpGroupWare-developers mailing list phpGroupWare-developers@gnu.org http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
