When\u00a0the server can’t write to the session data directory, if will\u00a0use\u00a0\/var\/cache\/nginx\/fastcgi_temp\/ and complain in the error log. You don’t want any of these errors, but a setting considered insecure will not even be reported as such. Here is how to bolster your PHP 7 session security with NGINX and php-fpm.<\/p>\n
<\/p>\n
Error messages located in\u00a0\/var\/log\/nginx, as far as it concerns lack of write access to the session directory, may look something like this:<\/p>\n
2017\/02\/19 02:54:53 [warn] 10265#10265: *81744 an upstream response is buffered to a temporary file \/var\/cache\/nginx\/fastcgi_temp\/1\/40\/0000000401 while reading upstream, client: 123.123.123.123, server: www.cloudinsidr.com, request: \"GET \/content\/feed\/ HTTP\/1.1\", upstream: \"fastcgi:\/\/127.0.0.1:9001\", host: \"www.cloudinsidr.com\", referrer: \"\"\r\n2017\/02\/19 02:57:58 [error] 10265#10265: *81774 FastCGI sent in stderr: \"PHP message: PHP Warning: Unknown: open(\/var\/opt\/remi\/php70\/lib\/php\/session\/sess_57aj23cdh4geatuecs2nloql21, O_RDWR) failed: Permission denied (13) in Unknown on line 0 PHP message: PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (\/var\/opt\/remi\/php70\/lib\/php\/session) in Unknown on line 0\" while reading upstream, client: 123.123.123.123, server: www.cloudinsidr.com, request: \"GET \/content\/wp-login.php HTTP\/1.0\", upstream: \"fastcgi:\/\/127.0.0.1:9001\", host: \"www.cloudinsidr.com\", referrer: \"somereferrerhere\"<\/pre>\nIn the above snippet, the server\u00a0has already given away the location of its\u00a0session directory:<\/p>\n
\/var\/opt\/remi\/php70\/lib\/php\/session<\/pre>\nAll you have to do now is fix the permissions.<\/p>\n
To figure out correct permissions on the session directory using php-fpm, you need to look up the group shared by your pools. This setting is defined in the config file of the pool (think of the pool as a group of websites sharing the same socket or port number and permissions\u2014basically sharing some rather relevant security parameters).<\/p>\n
To figure out the location of the settings file, ask systemctl for the status of php-fpm and look for the path specified for\u00a0the master process in the output of this command:<\/p>\n
systemctl status php70-php-fpm<\/pre>\nYou should see something like this:<\/p>\n
\u251c\u250029146 php-fpm: master process (\/etc\/opt\/remi\/php70\/php-fpm.conf<\/pre>\nTherefore, the location of your pools’ config files is this directory:<\/p>\n
\/etc\/opt\/remi\/php70\/php-fpm.d\/<\/pre>\nIf your pools are configured correctly, each of them should run with the user permissions of the owner of the website’s document directory and nginx as the group.<\/p>\n
Here is your fix for the session directory:<\/p>\n
chown -R root:nxinx \/var\/opt\/remi\/php70\/lib\/php\/session<\/pre>\nRestart php-fpm and nginx and the error should be gone for good. To verify this, visit your site and compare the log using:<\/p>\n
tail \/var\/log\/nginx\/error.log<\/pre>\nagainst the current server timestamp obtained via:<\/p>\n
timedatectl<\/pre>\nDone. No, wait. By default, your PHP sessions are not secure. You can protect your server from session fixation via session adoption using strict mode.<\/p>\n
2. Prevent\u00a0session fixation by closing the session adoption vulnerability<\/h4>\n
The session.use_strict_mode<\/em>\u00a0in your server’s php.ini file specifies whether the module will use strict session id mode. This mode is disabled by default as of this writing. Don’t believe it, check it for yourself:<\/p>\n
# grep -i session.use_strict_mode \/etc\/opt\/remi\/php70\/php.ini\r\nsession.use_strict_mode = 0<\/pre>\nBy enabling this mode, you will ensure that the module no longer accepts uninitialized session ID. If the server receives an\u00a0uninitialized session ID from a browser, the server will send a new session ID back. The strict mode\u00a0protects your applications from session fixation<\/strong> via a vulnerability known by the name of session adoption<\/strong>.<\/p>\n
Edit your php.ini:<\/p>\n
nano \/etc\/opt\/remi\/php70\/php.ini<\/pre>\nComment out the default and replace it with the correct setting:<\/p>\n
; session.use_strict_mode = 0\r\nsession.use_strict_mode = 1<\/pre>\nRestart:<\/p>\n
# systemctl restart php70-php-fpm; systemctl restart nginx<\/pre>\n","protected":false},"excerpt":{"rendered":"When\u00a0the server can’t write to the session data directory, if will\u00a0use\u00a0\/var\/cache\/nginx\/fastcgi_temp\/ and complain in the error log. You don’t want any of these errors, but a setting considered insecure will not even be reported as such. Here is how to bolster your PHP 7 session security with NGINX and php-fpm.<\/p>\n","protected":false},"author":1,"featured_media":76,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[33,109,168,6],"tags":[7,25,50,27,22,170,169],"yoast_head":"\n
Maximize your PHP session security by fixing errors and closing the session adoption vulnerability that allows session fixation attacks - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Maximize your PHP session security by fixing errors and closing the session adoption vulnerability that allows session fixation attacks - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"When\u00a0the server can’t write to the session data directory, if will\u00a0use\u00a0\/var\/cache\/nginx\/fastcgi_temp\/ and complain in the error log. You don’t want any of these errors, but a setting considered insecure will not even be reported as such. Here is how to bolster your PHP 7 session security with NGINX and php-fpm.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-20T12:17:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-01T02:38:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"326\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\",\"width\":900,\"height\":326,\"caption\":\"cloudinsidr.com logo (900px wide)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/\",\"name\":\"Maximize your PHP session security by fixing errors and closing the session adoption vulnerability that allows session fixation attacks - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/#primaryimage\"},\"datePublished\":\"2017-02-20T12:17:14+00:00\",\"dateModified\":\"2018-03-01T02:38:19+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/fix-permissions-for-php-session-data-when-using-php-fpm\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1395"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=1395"}],"version-history":[{"count":6,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1395\/revisions"}],"predecessor-version":[{"id":1401,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1395\/revisions\/1401"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=1395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=1395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=1395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}