-
-
Notifications
You must be signed in to change notification settings - Fork 20
Fixing your session save path
Kindly note that the general advice on PHP sessions found on this page applies for all PHP applications, including Joomla! and WordPress. It is not specific to Akeeba Panopticon. It is specific to PHP and how a server needs to be set up to serve PHP applications.
PHP is a stateless language. This means that it does not, by default, save its state between requests. It has no idea who you are, and that it's seen you before. Think about Dory in Finding Nemo.
Of course, this would be a major problem as it would not let us write applications where the user can log in. This is solved using sessions. PHP sets a cookie on your browser with a unique session identifier the first time it “sees” you, and reads it every next time. Us developers can store bits of information, e.g. if you are logged in and which user ID is yours, using this session identifier. PHP stores them in a small text file on the server. Next page load that comes from you with that session identifier in the cookies, we can read that information. There are of course other security controls, but that's the concept of sessions that you need to know.
As you noticed, PHP needs to save session information in small text files. These files are saved in PHP's Session Save Path.
Some servers are misconfigured, telling PHP to use a directory to which it has no write and/or save permissions. This makes it impossible for PHP to have sessions, therefore it makes things like logging in impossible. Akeeba Panopticon detects that problem and lets you know for the obvious reason that until it's fixed you'll be unable to log into Panopticon, therefore unable to monitor your sites!
In general, it is best to let your host know that the PHP session save path is unwriteable. This is a fundamental issue with their hosting environment configuration they should be aware of and fix.
If you are your own host you can edit your PHP configuration file (php.ini, usually found under /etc/php/8.1 where 8.1 is your PHP version). Look for the session.save_path configuration parameter and edit it.
Remember that you will need to restart the web server service (if you are using PHP as an Apache module, or a CGI/FastCGI script) or the PHP-FPM service (if you are using PHP through the PHP FastCGI Process Manager) for the changes to take effect.
First, create a new subdirectory called session inside the Panopticon installation's tmp folder. This is a safe place, as it's protected against direct web access on most hosts.
You will need to modify your .htaccess file as well. If you do not have a .htaccess file yet, we recommend that you copy Panopticon's htaccess.txt into a new .htaccess file. Edit the .htaccess file and add this line at the bottom:
php_value session.save_path /path/to/tmp/sessionwhere /path/to/tmp/session is the absolute path to the tmp/session path you created in the previous step.
If you are not sure what is the absolute path, please ask your host.
First, create a new subdirectory called session inside the Panopticon installation's tmp folder. This is a safe place, as it's protected against direct web access on most hosts.
Next up, you need to create a new file .user.ini in Panopticon's installation folder, i.e. where its index.php file is. Please pay attention at the dot in front of the file name! The contents of that file need to be:
session.save_path=/path/to/tmp/sessionwhere /path/to/tmp/session is the absolute path to the tmp/session path you created in the previous step.
If you are not sure what is the absolute path, please ask your host.
Please note that creating or changing the contents of this file may take about 5 minutes to apply. This time limit is configured in PHP's server-wide configuration file; it's not something we have any control over.
On some misconfigured hosts, the web server runs under a different user than your FTP / SFTP user. This configuration means that a folder you create over FTP / SFTP, or with the hosting control panel's file manager will not be writeable by PHP itself.
On those hosts you will additionally need to give 0777 permissions to the tmp/session folder to make it writeable by PHP.
We strongly recommend against using this kind of hosting, though, and we consider this kind of configuration as a big red flag about the security of the hosting environment. The writability issue of this kind of configuration is well-understood and solved in the early 2000s with the introduction of suPHP and, later, with PHP-FPM. If your host has not updated their hosting configuration to address this well-understood issue in the past 20 years it's unlikely that they understand security, therefore very likely that will have made other grave security-related mistakes in their configuration. Hence, our strong advisory against using such a hosting environment.
If you are your own host, remember that you should NEVER be using PHP as an Apache module. This is a legacy mode of operation, dating back to early 2000, when PHP was a very young and immature language that was most suitable for light pre-processing of otherwise static HTML pages, not the powerful language it is today. You should always be using PHP-FPM with a pool that runs under the same user and group as your regular login account (therefore, the same user and group you use when managing your site's files with FTP / SFTP).
As noted above, the default behaviour of Akeeba Panopticon is to use the configured PHP Session Save Path of your server by default. However, this may not be a good idea.
On most servers, the PHP session save path is common across all sites on the server. This means that PHP running on any site on the server will be using the same folder. This is problematic for two reasons.
If the server operator has not set up each site to use a different system user, or if they have not set the sticky bit on the PHP session save path folder, any site on the server can read any other site's PHP session data. This is a major security concern as it allows a malicious user on the server to read potentially privileged information and/or facilitate a session hijack. Since access to Akeeba Panopticon is functionally identical to being a Joomla! Super User or WordPress Administrator / Network Administrator on the site it becomes very clear that this kind of situation would put all of your configured sites at risk. Since the security of this kind of configuration cannot be evaluated without knowing how the server was set up, the only solution is to not use PHP's session save path.
Beyond security, a shared PHP session save path means that accessing any site using the same session save path will eventually trigger PHP's session garbage collection. By default, PHP is configured to delete sessions 24 minutes after they have been idle. This is typically lower than the session expiration time you have configured on your Akeeba Panopticon installation, which is why you may have a session expiration time of 1440 minutes (24 hours) but find yourself having to log in again after less than half an hour since you last accessed Akeeba Panopticon. Nope, Akeeba Panopticon isn't broken, it's the shared session save path and how PHP manages it that's the issue. The only solution to this problem is to use a private PHP session save path.
If you are absolutely sure that you are not affected by any of these issues – for example, because you run a dedicated server instance for Akeeba Panopticon, or your host has properly configured their servers so that each site uses its own session save path – leave the System Configuration option “Use the default PHP Session Save Path” enabled. You'll be fine.
If you are unsure, or you know that your server uses shared sessions, or you have more than one site hosted under the same hosting user account go to the System Configuration page and set “Use the default PHP Session Save Path” to No. This will tell Panopticon to create the tmp/session folder under its installation folder and use it for saving session data. If this folder is not created, or you cannot log into your site, create this folder yourself and give it 0777 permissions. Also read “What if this does not help?” above to understand why this happens, and why you should NOT be using this kind of hosting environment.
Documentation Copyright ©2023–2024 Akeeba Ltd.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
You can also obtain a copy of the GNU Free Documentation License from the Free Software Foundation
- Overview pages
- Working with sites
- Site Overview
- Backup Management with Akeeba Backup Pro
- Security Management with Admin Tools Pro
- Scheduled Update Summary
- Scheduled Action Summary
- Backup Tasks
- Scanner Tasks
- System Configuration
- Managing Sites
- Mail templates
- Users and Groups
- Tasks
- Log files
- Update Panopticon
- Database Backups
- Fixing your session save path
- The .htaccess file
- Advanced Customisation (user code)
- Plugins
- Custom CSS
- Custom Templates
- Advanced Permissions
- .env For Configuration