Koozali.org: home of the SME Server

webhosting contrib changing session.savepath

Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
webhosting contrib changing session.savepath
« on: June 29, 2024, 06:42:15 PM »
Hi all im having an internittant issue with payments on my website with paypal.
Used to run on a sme9 maybe had the issue then too but found now.

ANyway the team at zencart are asking if i can chnage the session.save_path   to be a folder that is in the html folder of the ibay, (is this a a good idea ie should this data be publically available?)

What i have now is
session.save_path   /var/lib/php/sw-zen/session

Im not sure it will help but i dont see any session files in that location so wonder if they are being stored elsewhere?

Offline Jean-Philippe Pialasse

  • *
  • 2,819
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: webhosting contrib changing session.savepath
« Reply #1 on: June 30, 2024, 01:33:43 AM »
this is not a good idea.  the sesssion should not be stored in a folder that is browsable from the internet even if they tell you this is secured with a htaccess file, as it can be modified, deleted or overridden.

this is why this has been hard coded.

Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #2 on: July 01, 2024, 04:14:41 AM »
Thanks JP I thought it was a bad idea

Ta

On the other side why dont i see session details in that file location?

Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #3 on: July 01, 2024, 04:00:29 PM »
Im assuming the sessions are stored elsewhere?

Also im being asked to temp change session.cookie_samesite from strict to lax.

All this is while hunting down a paypal payment issue where sometimes the sessions dont link, ie a new session is created when it shouldnt. Unfortunatly Sme is being blamed for this so i want to help find it rather than follow their advice. But i can see it looks like im tying 1 arm behind their back.
Most of the time there is no issue so its hard to track down.

Offline ReetP

  • *
  • 3,805
  • +5/-0
Re: webhosting contrib changing session.savepath
« Reply #4 on: July 01, 2024, 05:52:45 PM »
What version of PHP are you trying to run?

What version of ZenCart?


I think I had issues with Corebos/vTiger and zebra session handler.

It turned out to be a coding issue where the dev 'assumed' various paths and didn't actually check them.

Make sure Zencart is using the system set path and not an arbitrary one of its choosing.


SameSite cookie is set here:

Code: [Select]
e-smith/templates/etc/php.ini/80ModuleSettings16Session:47:     $OUT .= "session.cookie_samesite                  = \"Strict\"\n";

Make sure you know exactly what you are doing before trying to change that and beware whether it unintentionally affects other PHP versions.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #5 on: July 01, 2024, 05:59:24 PM »
Quote
What version of PHP are you trying to run?
8.1 ive been told not to go any higher yet.

Quote
What version of ZenCart?
v2.0.1

Quote
It turned out to be a coding issue where the dev 'assumed' various paths and didn't actually check them.
Its an option in the settings. Ive put it it to

/var/lib/php/sw-zen/session

But that location is empty. Looking at the phpinfo i notice this

session.save_handler   user   files

which to me is saving them as 'user' whatever that means and might explain why the folder is empty

Thanks re the samesite cookie setting. Ill hold of on that for now till I find the sessions file location


Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #6 on: July 01, 2024, 08:16:38 PM »
looks like i need the setting

session.save_handler to be files

but its set to user. And i cant see where that is chnaged.
Ive searched all the template files and they all have a value of 'files'

Its not a setting i can see in the web hosting contrib or a db entry for the ibay?

James

Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #7 on: July 02, 2024, 07:50:57 PM »
Hi Reet

I have tried changing this

Quote
SameSite cookie is set here:
Code: [Select]
e-smith/templates/etc/php.ini/80ModuleSettings16Session:47:     $OUT .= "session.cookie_samesite                  = \"Strict\"\n";
But phpinfo still says it is strict.
Looking at the ini file it appears it is set elsewhere too.

As i only want to test if it helps do I need to make a custom template?

Also is the application itself overiding the session.savepath from 'files' as shown in the master column in phpinfo to 'user'

James


Offline jameswilson

  • *
  • 788
  • +0/-0
    • Security Warehouse, trade security equipment
Re: webhosting contrib changing session.savepath
« Reply #8 on: July 02, 2024, 08:21:36 PM »
Ignore above I had a custom template that was redoing Strict.

Chnaged the custom template and is now showing as Lax.

Thanks

It also looks like im wrong re storing sessions as files. I assume they are in the db which (again as assumption) is in the mariadb database. Looks from what ive read files is not an ideal way to do it.

James