Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support Can't read a session
Can't read a session
  • Offline ElTomTom
    Junior Member
  • **
  • Posts: 22
    Threads: 14
    Joined: Mar 2020
    Reputation: 1
#1
05-03-2024, 11:26 AM
(This post was last modified: 05-03-2024, 11:59 AM by ElTomTom.)

We configure our project to use the default suggested by CodeIgniter for session configuration, we only changed the name of the cookie.

We grant the permissions to the session directory in Ubuntu:
Code:
chmod -R 755 writable/
chown -R www-data:www-data writable/


There is no ajax or anything else, just normal access with views.
But as soon as we run the project, the error appears in the log:


PHP Code:
ERROR 2024-05-03 18:19:45 --> SessionUnable to obtain lock for file '/var/www/html/website/writable/session/mysession....4vpq81...psa3h'.
CRITICAL 2024-05-03 18:19:45 --> ErrorExceptionsession_start(): Failed to read session datauser (path: /var/www/html/website/writable/session)
in SYSTEMPATH/Session/Session.php on line 919.
[internal function]: CodeIgniter\Debug\Exceptions->errorHandler()
2 SYSTEMPATH/Session/Session.php(919): session_start()
3 SYSTEMPATH/Session/Session.php(241): CodeIgniter\Session\Session->startSession()
4 SYSTEMPATH/Config/Services.php(699): CodeIgniter\Session\Session->start()
5 SYSTEMPATH/Config/BaseService.php(258): CodeIgniter\Config\Services::session()
6 SYSTEMPATH/Config/BaseService.php(199): CodeIgniter\Config\BaseService::__callStatic()
7 SYSTEMPATH/Config/Services.php(664): CodeIgniter\Config\BaseService::getSharedInstance()
8 SYSTEMPATH/Config/BaseService.php(258): CodeIgniter\Config\Services::session()
9 APPPATH/Controllers/Login.php(16): CodeIgniter\Config\BaseService::__callStatic()
10 SYSTEMPATH/CodeIgniter.php(915): App\Controllers\Login->__construct()
11 SYSTEMPATH/CodeIgniter.php(494): CodeIgniter\CodeIgniter->createController()
12 SYSTEMPATH/CodeIgniter.php(361): CodeIgniter\CodeIgniter->handleRequest()
13 FCPATH/index.php(79): CodeIgniter\CodeIgniter->run() 


PHP Code:
<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;
use CodeIgniter\Session\Handlers\FileHandler;

class Session extends BaseConfig
{

    public string $driver FileHandler::class;

    public string $cookieName 'mysession';

    public int $expiration 7200;

    public string $savePath WRITEPATH 'session';

    public bool $matchIP false;

    public int $timeToUpdate 300;

    public bool $regenerateDestroy false;

    public ?string $DBGroup null;



What could be happening?


Ps.: My php.ini is configured by default to use a session with Redis.
Reply
  • Offline codeus
    PHP janitor
  • **
  • Posts: 11
    Threads: 4
    Joined: Feb 2020
    Reputation: 0
#2
05-04-2024, 01:22 PM

Have you checked permissions for directories /var/www/html and /var/www/html/website ?
Reply
  • Offline ElTomTom
    Junior Member
  • **
  • Posts: 22
    Threads: 14
    Joined: Mar 2020
    Reputation: 1
#3
05-04-2024, 05:38 PM

There is no reason to give write permission to /var/www/html/website and /var/www/html if only the writable and writable/session folders are to be written to.

IMHO, it is no longer even safe to store a session in a directory located in /var/www/html/*

This should either stay in the /tmp folder or allow the writable constant to be in a location that is completely inaccessible via the browser.

This goes completely against what the CIS Apache Benchmark Guidelines suggests.

https://www.tenable.com/audits/items/CIS...b02c050880

"Outside the Configured Web DocumentRoot - The directory should NOT be under the configured DocumentRoot directory as such directories are browsable by default, and might allow unintentional web read access. With web read access an attacker could upload malicious content, and then references the content in a URL exploiting the trust that users have in the website."
Reply
  • Offline Bosborne
    Junior Member
  • **
  • Posts: 41
    Threads: 0
    Joined: Mar 2024
    Reputation: 2
#4
05-05-2024, 03:17 AM

(05-04-2024, 05:38 PM)ElTomTom Wrote: There is no reason to give write permission to /var/www/html/website and /var/www/html if only the writable and writable/session folders are to be written to.

IMHO, it is no longer even safe to store a session in a directory located in /var/www/html/*

This should either stay in the /tmp folder or allow the writable constant to be in a location that is completely inaccessible via the browser.

This goes completely against what the CIS Apache Benchmark Guidelines suggests.

https://www.tenable.com/audits/items/CIS...b02c050880

"Outside the Configured Web DocumentRoot - The directory should NOT be under the configured DocumentRoot directory as such directories are browsable by default, and might allow unintentional web read access. With web read access an attacker could upload malicious content, and then references the content in a URL exploiting the trust that users have in the website."
For Codeigniter, the Web DocumentRoot is in the public folder of the project.  That fulfills your reference.
Reply
  • Offline ElTomTom
    Junior Member
  • **
  • Posts: 22
    Threads: 14
    Joined: Mar 2020
    Reputation: 1
#5
05-05-2024, 11:06 AM

Even when setting the /tmp folder as the session location, the error continues to occur.

ErrorException: session_start(): Failed to read session data: user (path: /tmp)
Reply
  • Offline ElTomTom
    Junior Member
  • **
  • Posts: 22
    Threads: 14
    Joined: Mar 2020
    Reputation: 1
#6
05-10-2024, 01:05 PM
(This post was last modified: 05-10-2024, 01:09 PM by ElTomTom.)

The problem is the file_lock which is blocked by AppArmor.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB