Debian, PHP5, and session garbage collection

Posted on Friday, Sep 22, 2006 at 11:51 AM in ,

Poking around, like you do on your server, I noticed that php session files weren't being deleted, even after a few days. Turns out, PHP's automatic garbase collection is disabled on Debian. Instead, its replaced by a cron script that cleans out the /var/lib/php5 directory, which is where sessions are saved by default. If you're a security conscious PHP developer, you give each php application its own session save path. If you do that on a debian box, make sure you reenable garbase collection by setting seesion.gc_divisor to a positive integer.

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

; This is disabled in the Debian packages, due to the strict permissions
; on /var/lib/php5.  Instead of setting this here, see the cronjob at
; /etc/cron.d/php5, which uses the session.gc_maxlifetime setting below
;session.gc_probability = 0
session.gc_divisor     = 100

Also, the README.Debian file spell this out, shame on me for not reading it, but it should also contain instructions for handling the above situation.

    Session files are stored in /var/lib/php5.  For security purposes, this
    directory is unreadable by non-root users.  This means that php5 running
    from apache, for example, will not be able to clean up stale session
    files.  Instead, we have a cron job run every 30 mins that cleans up
    stale session files; /etc/cron.d/php5.  You may need to modify how
    often this runs, if you've modified session.gc_maxlifetime in your
    php.ini; otherwise, it may be too lax or overly aggressive in cleaning
    out stale session files.

Comments

Chris says

[quote] make sure you reenable garbase collection by setting seesion.gc_divisor to a positive
integer. [/quote] I think you mean session.gc_probability :)
Posted Wednesday, Oct 3, 2007 at 02:55 AM

Chris says

Actually a better fix would be to add something like this before changing the session.save_path:

ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
ini_set('session.gc_maxlifetime', 3600);
ini_set('session.save_path', '/path/to/folder');
Posted Wednesday, Oct 3, 2007 at 03:00 AM

Post your comment

Required but will not be shown
URL for your own blog or site - begin with http or https.
Most HTML is allowed.
The values you submit will be saved to a cookie to automatically fill in this form.
 Yes, save it.

Meta

Links In

View blog reactions

Technorati Tags

Feed

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

Subscribe via Email

Enter your email address:

Delivered by FeedBurner