Upgrade kills php sessions via memcache - cPanel & WHM 64.0 (build 17)


Active Member
Nov 30, 2005
Warrington, UK

RE: Upgrade kills php sessions via memcache - cPanel & WHM 64.0 (build 17)

I'm disappointed with the latest release of WHM - it caused a live incident on many of my clients websites and apps, that use sessions via php

Secure PHP Session Save Path

More Information - MultiPHP INI Editor for WHM - Version 64 Documentation - cPanel Documentation
PHP will now use a secure session save path. Previously, /tmp was the default location for PHP session files. This has been changed to /var/cpanel/php/sessions. This directory has special permissions that prevent various vulnerabilities with the PHP session files. A cronjob has also been added that is used to clean expired sessions. This is enabled across all PHP installs.
I have configured it to use 'memcache', but it appears the latest update blindly changed my config without my permission which broken sessions completely:

session.save_handler = memcache
session.save_path = "/var/cpanel/php/sessions/ea-php56"
There should be a check during the upgrade to see if a server had been set to 'memcache' or 'memcached' as the save handler and leave the config as is, or at least comment out for easy restoration

'session_handler' should have been updated also to 'files' to at least make the change work

session.save_handler = files
session.save_path = "/var/cpanel/php/sessions/ea-php56"

I've changed back to the following for use with 'memcache' and restarted, and all is working well again - i use 2 memcache instances locally:

session.save_handler = memcache
session.save_path = "tcp://,tcp://

If you use 'memcached' (less control per memcache/elastic search node if using redis), it would be something like this:

session.save_handler = memcached
session.save_path = ","

More example config: stackoverflow.com/questions/3884905/using-memcache-as-a-session-store and stackoverflow.com/questions/24184568/php-sessions-not-being-saved-in-memcache

You can also create a cron job and script (nodejs,php,ruby, etc) to clear sessions every 30-60mins from memcache, or use something like this: github.com/TheLastCicada/flush-memcache/blob/master/flush-memcache.php

I've created a poll, if anyone is interested to see how sessions are stored across the cPanel community :)


Last edited by a moderator: