PHP FastCGI Session

[MaxZ]

Hey there,

I couldn't find a similar problem, so I'll just post away.

I'm running plesk 9.2.1 on openSUSE 11.0, most sites use PHP with FastCGI, and so do the ones I have problems with.

The (very odd) problem I have is as follows.

Occasionally, I get the following apache error when e.g. trying to log-in to some onlineshop I run:

[Tue Jun 23 12:19:56 2009] [warn] mod_fcgid: stderr: PHP Warning:  session_start(): open(/tmp/sess_7jg5jjc31o0paietrb8hqlkkr1b7cp7v, O_RDWR) failed: Permission denied (13) in /srv/www/vhosts/example.com/httpdocs/x3/includes/application_top.php on line 300
[Tue Jun 23 12:19:56 2009] [warn] mod_fcgid: stderr: PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

BUT /tmp/ has permissions 777. And it works most of the time. Only sometimes I get the above error. After deleting my browsercookies, it works like a charm. I'm really stuck here.

Thanks !!!

Edit: I changed /etc/php5/fastcgi/php.ini in order to change the save_path to /tmp. It was /var/something before, which was not writeable by the fcgi users.
Which leads me to another problem: When using fastCGI, any configuration done in plesk (e.g. safe mode on or off) is ignored. Safe mode is off by default, the defaults in /etc/php5/fastcgi/php.ini are not changed by any of the pesk configs...

 

[JeevanR]

MaxZ, I have the same problem... I didn't notice this error but Only now I saw my Error Log where it repeated ever since I've changed PHP to run as FastCGI!

After searching for hours, I've decided ti give session directly CHMOD 777 rights... this does resolve this issue as FastCGI is able to write session files now... But I don't know how secure is this...

Any advice from experienced staff reg security of this matter or right way of doing it would be great help!

thanks

 

[PleskU]

FastCGI - Per Domain php settings

Plesk,

Please provide SOME insight regarding this issue. Do we need to kludge this, or are we missing something. A simple, yes or no would help. I have seen a few posts regarding this issue and Plesk support has been absent in providing any direction.

Symptoms:
-Plesk 9.2.1
-FastCGI enabled for php via Plesk Control Panel
-vhost.conf traditional method of setting php settings is not compatible due to wrapping aspect of the FastCGI, thus we need a way to set an individual php.ini file for each domain (or be able to push them somehow).

Example:
domain.com wants to run php with safe_mode off. The server default is on. We want to keep the server default on, but we want to allow individual domains to set their on php settings as needed.

Current Recommended solutions:
-Custom script to build skeleton files needed for said, and would trigger using events feature in control panel. Very complex for most and could lead to problems later.

-suPHP


Summary:
Why would Plesk provide such a great feature which is long overdue, and then stop short in the most critical area as it relates to the need for this feature, namely custom php settings so that users can run Joomla, Drupal, CiviCRM, SugarCRM, etc. and be able to have their open_basedir, safe_mode etc. values set easily and in an organized fashion.


Thank you in advance and there is a beer waiting for anyone who has a turnkey solution. No, beer of the month club membership! lol.

HELP US! PLEASE! We will spread the word for you. It's the least you could do for all the free work we put into beta testing and debugging for you during 9.x and over the years.

They never answer their forums, so I won't cross my fingers. But if any users out there have this kicked, PLEASE HELP!


Thanks,

 

[PleskU]

This is a great read. You might just want to surrender and go with suPHP and drop the whole idea of FastCGI. Starting to look like FastCGI is slow to get going...

http://www.forum.psoft.net/showthread.php?t=21125

 

[PleskU]

FastCGI - Plesk using OLD version mod_fcgi

From a post on AtomicRocketTurtle:

Here is a link


----BEGIN-----
Ok,

I am replying to my post instead of editing my last post, because I think I figured this out.

I'm in the early stages, but I have it working from the bash prompt just fine.

Tomorrow, after a good night's sleep (3:45am here), I provide what I did and maybe someone can help me punch through.

This should allow for using the vhost.conf file to make php settings changes with the only exeception being that you have to put your settings in a php.ini file. As it stands, I am doing it in the conf directory, but I'm dead tired and I will need help with this last piece. I am confident this will work.

Here is the problem I think.

mod_fcgid has to be greater than or = to version 2.1 to support arguments in FGCGWrapper.

so in my vhost.conf, the following is throwing an error about the aruments.
FCGIWrapper "/usr/local/bin/php-cgi -c /etc/" .php

When I run this from the command line:
/usr/bin/php-cgi -c /var/www/vhosts/domain.com/conf phpinfo.php |grep safe_mode

it will pick up the change I make in the php.ini file that resides in the conf directory (which I am also launching the test from)

So from command line, it works, but I get an error when I try to save and reload apache with FCGIW wrapper setting as per above. php-cgi is a binary, so maybe plesk is doing something that is preventing this from working as expected.

I hope this can help someone and I also help this can get some feedback. I am really stumped. It should have been as simple as enabling FastCGI for php in the control panel, editing the vhost.conf for the domain to include the wrapper telling it where to look for the php.ini config, and the putting in the php.ini settings we want for that domain.

UPDATE:
Ok, I think I cracked the case. I just did an rpm -qa |grep fcgi

psa-fcgi-2.4.0-2
psa-mod-fcgid-configurator-1.0-14
psa-mod_fcgid-1.10-3

SO!!!
Question: Scott, how can I upgrade psa-mod_fcgid ?

(only 3 days to figure all this out, that's all)

 

[PleskU]

Plesk 9.2.1 - Per Domain php settings - FastCGI (SOLVED)

I cracked the case and I have it working perfectly without doing any patches, or hacks or messing with anything other than the vhost.conf file.

suPHP is no longer needed. I have it all working out of the box.

I am going to be posting a how-to for this whole adventure (I will provide a link later). It is absolutely the easiest way to get per domain php settings while running as user:group of domain users.

 

[MaxZ]

PlsekU thanks in advanve, looking forward to your post

 

[reiberjoe]

So what happened to the tutorial? I think I am stuck at the very same position.

 

[CoreyZ]

yeah, I also need this tutorial, I'm in the same position.

 

[Real Flashman]

Has anyone a solution for that problem by now?

 

[AdgarH]

Maybe you problem will be solved if you turn on session management within your php.ini.

 

[agarzon]

The funny thing is that Plesk never fixed that issue.

Only solution is chmod 777 /var/lib/php/session

 

[outofwwwo]

I've the following env:

- linux
- apache
- PHP 5 running as CGI application

I've found the following solution:

1. add the user running the domain http request to group apache (let's say user_domain1)
1.1 edit /etc/group
1.2 line: apache:x:48:apache,user_domain1

2. clean browser cookies (for the domain in issue)

3. restart apache (not sure if really necessary).

hope it helps.

 

[fabrii]

in panel > home > subscriptions > (select your subscription) > websites & domains tab > show advanced options > website scripting and security > PHP setting tab > session.save_path > enter custom value

and enter this:

{DOCROOT}/../var/tmp

 

[alocin]

The solution proposed by outofwwwo worked for me. Cookies deletion and Apache restart were necessary. I think it's a good solution since you don't need to set 777 permission the session directory. Since I don't like editing vital files I used

usermod -G user_domain1 apache

which adds the user to the apache group.

Nik

I've the following env:

- linux
- apache
- PHP 5 running as CGI application

I've found the following solution:

1. add the user running the domain http request to group apache (let's say user_domain1)
1.1 edit /etc/group
1.2 line: apache:x:48:apache,user_domain1

2. clean browser cookies (for the domain in issue)

3. restart apache (not sure if really necessary).

hope it helps.

 

[smirking]

fabrii's solution worked for me

Fabrii's solution to set a custom session.save_path worked for me. I was previously having a hell of a time figuring out why any PHP session over FastCGI basically vanished immediately.

Just use this as your session.save_path:
{DOCROOT}/../var/tmp

 

[BobClaas]

Here is ur solution:

chown apachesacln /var/lib/php/session
chmod -R 770 /var/lib/php/session
chcon -R system_ubject_r:httpd_sys_content_t:s0 /var/lib/php/session

No httpd restart is required. Worked for me!

 

[Amin Taheri]

I have to do a variant of the fix BobClaas mentioned everytime I update php RPMs.

 

[DJSnoopy]

This seems not tp be a secure solution.
If the folder is read-/writeable by comlete group psacln-group every user could read session files from other users.
So this is not an acceptable solution.

Best way would be:
- session.safe_path is within users vhost dir
- default from plesk for fcgi should point to this folder per vhost

currently i´ve to setup it for every customer with fcgi manually which is annoying.

So if anyone has an idea how to teach / setup plesk to do it the right way, i would be happy to get the answer


kind regards
Michael

 

[DJSnoopy]

http://kb.parallels.com/en/115704

This solution sounds more secure
Users can write to folder, but only could read their own files.

kind regards
Michael