cobwebs: PHP session directories and related stuff
Since I last posted, I’ve been working on the cobwebs db guest image and learning about MySQL. There’s not much to say about that since it pretty much just works. I need to write a little bit of machinery to create users and to create databases for users, but it doesn’t seem hard. For the moment I’m hand-creating databases as I need them.
I’ve also tried deploying a few PHP web apps onto my test apache instance. The results are pretty encouraging. WordPress and Drupal worked with no problems. I do notice that all these web apps assume that the vast majority of web host sites use “localhost” as the MySQL host. That seems a little odd; I would expect most web hosts to want to separate out the database server pretty quickly. I wonder if they use redirectors.
When I tried out MediaWiki, I ran into a small hurdle: it wants the PHP session directory to be writable, which it’s not since /etc/php.ini sets save_path to /var/lib/php/session which is writable by group apache but not by random user IDs. I can configure PHP’s session.save_path in /etc/php.ini to point to a world-writable sticky directory like /tmp. The planned default umask (072; all users share the same group) would work to protect session data from other users, I think. But it feels unsafe; I’d rather have a separate session directory for each user. I don’t think I can do that in a single global php.ini; the documentation and source code don’t reveal any kind of substitution going on in session.save_path which I could use to put in the current user’s home directory or some such.
scripts.mit.edu creates a php.ini alongside its web app auto-deployments which sets session.save_path. I could do the same, but that only works for web apps I have auto-installers for. I’d like stuff to work out of the box as much as possible.
On a similar note, how does scripts.mit.edu configure PHP to automatically notice php.ini files dropped in alongside PHP scripts? I couldn’t immediately figure that out, and it didn’t seem to happen on its own.
One Response to 'cobwebs: PHP session directories and related stuff'
Leave a Reply
You must be logged in to post a comment.
on May 16th, 2007 at 6:17 am
Why 072 and not 077?
The way we currently get php to read ./php.ini is with “SetEnv PHPRC .†in httpd.conf, and a small suexec patch to preserve PHPRC in the environment. However, I think this is a terrible idea, because php.ini is found only in the current directory and not its parents (so we have to create php.ini symlink farms in our autoinstallers), and also because of the unclear security implications. It is better to have a php wrapper that finds the appropriate php.ini and gives it to php with –php-ini or whatever.