I've just moved a collection of sites over to a brand-new server, running Apache 2.2.3, PHP 5.3, and Plesk 10.1.1. I am having problems with file permissions on PHP sessions, which are being stored in /var/lib/php/session.

I originally set the permissions like so for this folder:

drwxrwx--- 2 apache psacln 8192 Mar 22 23:25 session

This worked fine, for HTTP sessions. Files were being saved in that folder with these permissions:

-rw------- 1 client1        psacln 0 Mar 22 23:24 sess_507...
-rw------- 1 client2        psacln 0 Mar 22 23:25 sess_8o1...

The problem, however, is that PHP scripts accessed via HTTPS do not seem to be run by the same client1 or client2 user. I deleted files in the session directory and accessed a login page via HTTPS to see how sessions were being saved when initiated via this protocol:

-rw------- 1 apache         apache 0 Mar 22 23:25 sess_507...

So, for whatever reason, sessions initiated by clients browsing with HTTPS were being saved by apache:apache, while sessions from HTTP clients were saved with someclient:psacln.

What I'd like to ask:

1. How can I avoid this problem with session permissions? When sessions are created via unencrypted HTTP and a client visits an HTTPS portion of the site, permission errors are shown, since apache:apache tries to access the session save created by someclient:psacln. The converse is also true.
   1. Can I change the user which runs the Apache HTTPS server, via Plesk or the command line?
   2. If not, can I have PHP sessions save with rw-rw---- permissions, and then add apache to the psacln group?
   3. Any other suggestions on how to fix this issue?