I've just moved a collection of sites over to a brand-new server, running Apache 2.2.3, PHP 5.3, and Plesk 10.1.1. I am having problems with file permissions on PHP sessions, which are being stored in /var/lib/php/session.
I originally set the permissions like so for this folder:
drwxrwx--- 2 apache psacln 8192 Mar 22 23:25 session
This worked fine, for HTTP sessions. Files were being saved in that folder with these permissions:
-rw------- 1 client1 psacln 0 Mar 22 23:24 sess_507...
-rw------- 1 client2 psacln 0 Mar 22 23:25 sess_8o1...
The problem, however, is that PHP scripts accessed via HTTPS do not seem to be run by the same client1 or client2 user. I deleted files in the session directory and accessed a login page via HTTPS to see how sessions were being saved when initiated via this protocol:
-rw------- 1 apache apache 0 Mar 22 23:25 sess_507...
So, for whatever reason, sessions initiated by clients browsing with HTTPS were being saved by apache:apache, while sessions from HTTP clients were saved with someclient:psacln.
What I'd like to ask:
How can I avoid this problem with session permissions? When sessions are created via unencrypted HTTP and a client visits an HTTPS portion of the site, permission errors are shown, since apache:apache tries to access the session save created by someclient:psacln. The converse is also true.
Can I change the user which runs the Apache HTTPS server, via Plesk or the command line?
If not, can I have PHP sessions save with rw-rw---- permissions, and then add apache to the psacln group?
Any other suggestions on how to fix this issue?
