Debian Bug report logs -
#621360
/etc/cron.d/php5 wreaks havoc on session-based PHP apps
Reported by: David Norris <dnorris@dkiservices.com>
Date: Wed, 6 Apr 2011 20:59:05 UTC
Severity: wishlist
Tags: wontfix
Found in version 5.3.2-1ubuntu4.2
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, dnorris@dkiservices.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#621360; Package php5.
(Wed, 06 Apr 2011 20:59:12 GMT) (full text, mbox, link).
Acknowledgement sent
to David Norris <dnorris@dkiservices.com>:
New Bug report received and forwarded. Copy sent to dnorris@dkiservices.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 06 Apr 2011 20:59:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Version: 5.3.2-1ubuntu4.2
Severity: important
The cron job assumes that all PHP scripts use the global max lifetime value. I have never, once, ever seen a PHP script that recommends using the default settings as a good idea. For example, I am using SugarCRM. The cron job is blindly vaporizing session data every 30 minutes despite the fact that SugarCRM changes this value locally. The effect this has is devastating to the operation of SugarCRM. Ajax calls into the application often get redirected to a login dialog due the the session disappearing at inappropriate times. When this occurs it causes data loss in the application.
Also, it seems inappropriate to me to change the global php.ini setting at all for any reason. Those are very reasonable defaults. However, within Apache you may want to locally modify the max lifetime for a particular vhost to a value which is unreasonable to other vhosts. Such as SugarCRM where we want sessions to last an entire 8 hour shift.
I question whether this cron job serves any purpose at this point. It seems to be working around a bug in the Debian PHP 4.0 package from2004. I have been testing today and PHP 5.3 appears to be garbage collecting sessions appropriately. The permissions seem to suggest there should be no problems, as well.
The original Debian Bugs which prompted the addition of the cron job and move of session data to /var/lib/php[4|5] are #256831 and #257111
Sorry, the system info is probably a bit ugly as this is an Ubuntu system but the problem originates from Debian so I chose to submit to debian bts.
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-21-server (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.3.2-1ubuntu4.2 server-side, HTML-embedded scripti
ii php5-common 5.3.2-1ubuntu4.2 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#621360; Package php5.
(Wed, 06 Apr 2011 21:24:29 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 06 Apr 2011 21:24:34 GMT) (full text, mbox, link).
Message #10 received at 621360@bugs.debian.org (full text, mbox, reply):
severity 621360 wishlist
tags 621360 +wontfix
thank you
Hi David,
you seem to misunderstand the concept of the cron job. The cron job
itself serves no purpose, but it has to be there since the
/var/lib/php5 should not be readable by www-data (or any other user)
for security reasons - you certainly don't want any script running
under www-data user to be able to read other webs sessions.
As for SugarCRM you're free to re-enable the GC, disable the cron job
or set the session directory to some other and do whatever
modification (like just setting the timeout to 6 hours, etc) you need.
Also if you feel that the description in php5-common README.Debian is
not sufficient, we are certainly open to any suggestions how to
improve the text.
O.
On Wed, Apr 6, 2011 at 22:49, David Norris <dnorris@dkiservices.com> wrote:
> Package: php5
> Version: 5.3.2-1ubuntu4.2
> Severity: important
>
> The cron job assumes that all PHP scripts use the global max lifetime value. I have never, once, ever seen a PHP script that recommends using the default settings as a good idea. For example, I am using SugarCRM. The cron job is blindly vaporizing session data every 30 minutes despite the fact that SugarCRM changes this value locally. The effect this has is devastating to the operation of SugarCRM. Ajax calls into the application often get redirected to a login dialog due the the session disappearing at inappropriate times. When this occurs it causes data loss in the application.
>
> Also, it seems inappropriate to me to change the global php.ini setting at all for any reason. Those are very reasonable defaults. However, within Apache you may want to locally modify the max lifetime for a particular vhost to a value which is unreasonable to other vhosts. Such as SugarCRM where we want sessions to last an entire 8 hour shift.
>
> I question whether this cron job serves any purpose at this point. It seems to be working around a bug in the Debian PHP 4.0 package from2004. I have been testing today and PHP 5.3 appears to be garbage collecting sessions appropriately. The permissions seem to suggest there should be no problems, as well.
>
> The original Debian Bugs which prompted the addition of the cron job and move of session data to /var/lib/php[4|5] are #256831 and #257111
>
>
> Sorry, the system info is probably a bit ugly as this is an Ubuntu system but the problem originates from Debian so I chose to submit to debian bts.
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers lucid-updates
> APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-21-server (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages php5 depends on:
> ii libapache2-mod-php5 5.3.2-1ubuntu4.2 server-side, HTML-embedded scripti
> ii php5-common 5.3.2-1ubuntu4.2 Common files for packages built fr
>
> php5 recommends no packages.
>
> php5 suggests no packages.
>
> -- no debconf information
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Severity set to 'wishlist' from 'important'
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Wed, 06 Apr 2011 21:24:46 GMT) (full text, mbox, link).
Added tag(s) wontfix.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Wed, 06 Apr 2011 21:24:47 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#621360; Package php5.
(Wed, 06 Apr 2011 21:55:18 GMT) (full text, mbox, link).
Acknowledgement sent
to David L Norris <dnorris@dkiservices.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 06 Apr 2011 21:55:23 GMT) (full text, mbox, link).
Message #19 received at 621360@bugs.debian.org (full text, mbox, reply):
No, I understand the concept of the cron job. I do agree that allowing PHP/Apache to enumerate the session directory is a bad idea. Seems like PHP's session garbage collection is lacking a bit. Surely they could devise a means of garbage collection that doesn't relay on scanning a directory.
I see that bug #590485 fixes the cron job so I can use conf.d to override. So I could just override the global defaults by having my sugarcrm package install a config file fragment.
Thanks for taking the time to look at this!
David L Norris
Manager of Information Technology
DKI Services Corporation
dnorris@dkiservices.com
Direct: 317.614.0298
Mobile: 317.417.1188
Fax: 317.481.8984
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Thu, 23 Aug 2012 07:33:12 GMT) (full text, mbox, link).
Notification sent
to David Norris <dnorris@dkiservices.com>:
Bug acknowledged by developer.
(Thu, 23 Aug 2012 07:33:12 GMT) (full text, mbox, link).
Message #24 received at 621360-done@bugs.debian.org (full text, mbox, reply):
> I see that bug #590485 fixes the cron job so I can use conf.d to override. So I could just override the global defaults by having my sugarcrm package install a config file fragment.
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Sep 2012 07:36:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 01:11:41 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.