Cloud Insidr

Cybersecurity in the Age of the Machine

Join us on Twitter: @CloudInsidr

Home Uncategorized How to Fix PHP Session Errors while Respecting Security with Correct Permissions
How to Fix PHP Session Errors while Respecting Security with Correct Permissions

Leave a Comment

How to Fix PHP Session Errors while Respecting Security with Correct Permissions

Have you ever seen one of these weird redirects? WordPress, for example, may refuse to show the log-in page, leaving you out of its admin interface for good. Here is what to do about it.

The log file may hold the secret to the weird behaviour:

tail /var/log/nginx/error.log

You might see something like this:

2015/11/18 18:23:51 [error] 16852#16852: *18847 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/var/lib/php/session/sess_hk123na6l228eui7odqub6rghej6, O_RDWR) failed: No such file or directory (2) in /mnt/www/www.yourdomain.com/somefolder/somepath/watever-legit-script-is-trying-to-read-sessions.php on line 715" while reading response header from upstream, client: XXX.XXX.XXX.XXX, server: www.yourserver.com, request: "GET /content/? HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sockets/www.yourserver.com.sock:", host: "www.yourserver.com", referrer: "https://auth.somereferrer.com/whatever"

or something like this:

2015/11/18 18:23:51 [error] 16852#16852: *18847 FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: open(/var/lib/php/session/sess_hk123na6l228eui7odqub6rghej6, O_RDWR) failed: No such file or directory (2) in Unknown on line 0
PHP message: PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0" while reading upstream, client: XXX.XXX.XXX.XXX, server: www.yourserver.com, request: "GET /content/? HTTP/1.1", upstream: "

These errors occur because PHP has no way of saving sessions on disk. Correcting permissions should fix the problem, but the trick is not to overdo it. Incorrect permissions on session files can open a can of worms to session hijacking.

The location of the PHP session path can be found in /etc/php.ini under session.save_path. The default path is

/var/lib/php/session

If this directory does not exist (even though it should exist precisely in this path), create it, then change permissions on it:

chown -R nginx:nginx /var/lib/php/session
chmod -Rf 700 /var/lib/php/session

This assumes that you are running NGINX as the user nginx. (Be careful to change access privileges correctly–this always means: restrictively–in order not to facilitate session hijacking!).

Restart php-fpm and you should be good to go.

Leave a Reply

Your email address will not be published. Required fields are marked *

©2022 CybrAnalytiqa OÜ