Upgrade kills php sessions via memcache - cPanel & WHM 64.0 (build 17)

tom_taylor

Active Member
Nov 30, 2005
37
0
156
Warrington, UK
Hi

RE: Upgrade kills php sessions via memcache - cPanel & WHM 64.0 (build 17)


I'm disappointed with the latest release of WHM - it caused a live incident on many of my clients websites and apps, that use sessions via php

Secure PHP Session Save Path

More Information - MultiPHP INI Editor for WHM - Version 64 Documentation - cPanel Documentation
PHP will now use a secure session save path. Previously, /tmp was the default location for PHP session files. This has been changed to /var/cpanel/php/sessions. This directory has special permissions that prevent various vulnerabilities with the PHP session files. A cronjob has also been added that is used to clean expired sessions. This is enabled across all PHP installs.
I have configured it to use 'memcache', but it appears the latest update blindly changed my config without my permission which broken sessions completely:

Code:
session.save_handler = memcache
session.save_path = "/var/cpanel/php/sessions/ea-php56"
There should be a check during the upgrade to see if a server had been set to 'memcache' or 'memcached' as the save handler and leave the config as is, or at least comment out for easy restoration


'session_handler' should have been updated also to 'files' to at least make the change work

Code:
session.save_handler = files
session.save_path = "/var/cpanel/php/sessions/ea-php56"

I've changed back to the following for use with 'memcache' and restarted, and all is working well again - i use 2 memcache instances locally:

Code:
session.save_handler = memcache
session.save_path = "tcp://127.0.0.1:11211?persistent=1&weight=1&timeout=1&retry_interval=5,tcp://127.0.0.1:11212?persistent=1&weight=1&timeout=1&retry_interval=5
"

If you use 'memcached' (less control per memcache/elastic search node if using redis), it would be something like this:

Code:
session.save_handler = memcached
session.save_path = "127.0.0.1:11211,127.0.0.1:11212"


More example config: stackoverflow.com/questions/3884905/using-memcache-as-a-session-store and stackoverflow.com/questions/24184568/php-sessions-not-being-saved-in-memcache


You can also create a cron job and script (nodejs,php,ruby, etc) to clear sessions every 30-60mins from memcache, or use something like this: github.com/TheLastCicada/flush-memcache/blob/master/flush-memcache.php



I've created a poll, if anyone is interested to see how sessions are stored across the cPanel community :)



Thanks

Tom
 
Last edited by a moderator: