+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: Can't read a session (/showthread.php?tid=90786)
Can't read a session - ElTomTom - 05-03-2024
We configure our project to use the default suggested by CodeIgniter for session configuration, we only changed the name of the cookie.
We grant the permissions to the session directory in Ubuntu:
Code:
chmod -R 755 writable/
chown -R www-data:www-data writable/There is no ajax or anything else, just normal access with views.
But as soon as we run the project, the error appears in the log:
PHP Code:
ERROR - 2024-05-03 18:19:45 --> Session: Unable to obtain lock for file '/var/www/html/website/writable/session/mysession....4vpq81...psa3h'.
CRITICAL - 2024-05-03 18:19:45 --> ErrorException: session_start(): Failed to read session data: user (path: /var/www/html/website/writable/session)
in SYSTEMPATH/Session/Session.php on line 919.
1 [internal function]: CodeIgniter\Debug\Exceptions->errorHandler()
2 SYSTEMPATH/Session/Session.php(919): session_start()
3 SYSTEMPATH/Session/Session.php(241): CodeIgniter\Session\Session->startSession()
4 SYSTEMPATH/Config/Services.php(699): CodeIgniter\Session\Session->start()
5 SYSTEMPATH/Config/BaseService.php(258): CodeIgniter\Config\Services::session()
6 SYSTEMPATH/Config/BaseService.php(199): CodeIgniter\Config\BaseService::__callStatic()
7 SYSTEMPATH/Config/Services.php(664): CodeIgniter\Config\BaseService::getSharedInstance()
8 SYSTEMPATH/Config/BaseService.php(258): CodeIgniter\Config\Services::session()
9 APPPATH/Controllers/Login.php(16): CodeIgniter\Config\BaseService::__callStatic()
10 SYSTEMPATH/CodeIgniter.php(915): App\Controllers\Login->__construct()
11 SYSTEMPATH/CodeIgniter.php(494): CodeIgniter\CodeIgniter->createController()
12 SYSTEMPATH/CodeIgniter.php(361): CodeIgniter\CodeIgniter->handleRequest()
13 FCPATH/index.php(79): CodeIgniter\CodeIgniter->run()
PHP Code:
<?php
namespace Config;
use CodeIgniter\Config\BaseConfig;
use CodeIgniter\Session\Handlers\FileHandler;
class Session extends BaseConfig
{
public string $driver = FileHandler::class;
public string $cookieName = 'mysession';
public int $expiration = 7200;
public string $savePath = WRITEPATH . 'session';
public bool $matchIP = false;
public int $timeToUpdate = 300;
public bool $regenerateDestroy = false;
public ?string $DBGroup = null;
}
What could be happening?
Ps.: My php.ini is configured by default to use a session with Redis.
RE: Can't read a session - codeus - 05-04-2024
Have you checked permissions for directories /var/www/html and /var/www/html/website ?
RE: Can't read a session - ElTomTom - 05-04-2024
There is no reason to give write permission to /var/www/html/website and /var/www/html if only the writable and writable/session folders are to be written to.
IMHO, it is no longer even safe to store a session in a directory located in /var/www/html/*
This should either stay in the /tmp folder or allow the writable constant to be in a location that is completely inaccessible via the browser.
This goes completely against what the CIS Apache Benchmark Guidelines suggests.
https://www.tenable.com/audits/items/CIS_Apache_HTTP_Server_2.4_Benchmark_v2.0.0_Level_1.audit:4c06ac0514ca3fe3b44586b02c050880
"Outside the Configured Web DocumentRoot - The directory should NOT be under the configured DocumentRoot directory as such directories are browsable by default, and might allow unintentional web read access. With web read access an attacker could upload malicious content, and then references the content in a URL exploiting the trust that users have in the website."
RE: Can't read a session - Bosborne - 05-05-2024
(05-04-2024, 05:38 PM)ElTomTom Wrote: There is no reason to give write permission to /var/www/html/website and /var/www/html if only the writable and writable/session folders are to be written to.For Codeigniter, the Web DocumentRoot is in the public folder of the project. That fulfills your reference.
IMHO, it is no longer even safe to store a session in a directory located in /var/www/html/*
This should either stay in the /tmp folder or allow the writable constant to be in a location that is completely inaccessible via the browser.
This goes completely against what the CIS Apache Benchmark Guidelines suggests.
https://www.tenable.com/audits/items/CIS_Apache_HTTP_Server_2.4_Benchmark_v2.0.0_Level_1.audit:4c06ac0514ca3fe3b44586b02c050880
"Outside the Configured Web DocumentRoot - The directory should NOT be under the configured DocumentRoot directory as such directories are browsable by default, and might allow unintentional web read access. With web read access an attacker could upload malicious content, and then references the content in a URL exploiting the trust that users have in the website."
RE: Can't read a session - ElTomTom - 05-05-2024
Even when setting the /tmp folder as the session location, the error continues to occur.
ErrorException: session_start(): Failed to read session data: user (path: /tmp)
RE: Can't read a session - ElTomTom - 05-10-2024
The problem is the file_lock which is blocked by AppArmor.