[php-maint] PHP 5.3 thoughts: sessions

Mark A. Hershberger mah at everybody.org
Thu Mar 26 17:14:14 UTC 2009


5.3 seems like a good place to re-examine some past decisions.

In particular, I think looking at session handling now would be good.

Debian's PHP does something un-expected in the name of security.  It
assumes that all session handling is file-based and that users will
never attempt to change the location of where sessions are stored (to,
say, the /tmp directory).

Both these assumptions are wrong and I've run into cases where session
information fills up a filesystem because the location of session files
was changed.

In particular, the standard php.ini values are changed.
“session.save_path” is changed to “/var/lib/php5” and
“session.gc_probability” is changed from “1” to “0”.

While the increased security could be a welcome addition, making these
settings the default can cause issues for people tracking down problems.

Would it be possible to make this user-selectable at installation time?
Default to the PHP setting and ask users if they want the extra
security?  For package upgrades, as opposed to new installations, the
current behavior would remain.

Thoughts?

Mark.



More information about the pkg-php-maint mailing list