• 0

session.save_path (/tmp) is not writable for web server :: security-risk!?



hi there - good day dear fellows, 


the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:


The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.


session.save_path: writeable 
You need set permission for your var directory. 


That seems to be the problem. well - i guess that the default ownership may be incorrect on the session folder: 


Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.



chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart


But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 


love to hear from you 





some clearings and clearification:  -  we re talking about the installation of a survey-script - called limesurvey - cf. www.limesurvey.org  

i get the following complaints during the installation process -


and if we have a closer look at the script - (see below) then the server admin says - that this script wants to have unsecure things....


what do you say!? 



look forward to hear from you 


Edited by tarifa
Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 0

hi there - dear fellows 


update: if we have a closer look at the image - the foto in the thread...


and if we think of this.. 

session_save_path ([ string $path ] ) : string
session_save_path() gibt den Pfad des aktuellen Verzeichnisses zurück, das zum Speichern der Session-Daten verwendet wird.

[CODE]No session => no login
No session => no installation
An session.save_path not writable => No session.


i all ways thought that this code tests if we  can write into the php variable $_SESSION or - if we cannot do that

- and i allways thought that this is  read only

what do you say - !? 


look forward to hear from you

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.