Edit report at https://bugs.php.net/bug.php?id=60411&edit=1
ID: 60411
Updated by: yohg...@php.net
Reported by: jgalvin at bnl dot gov
Summary: Session Error When Browsing Between Secure and
Non-Secure Subdirectories
-Status: Open
+Status: Feedback
Type: Bug
Package: Session related
Operating System: Windows Server 2003 - IIS 6
PHP Version: 5.3.8
Block user comment: N
Private report: N
New Comment:
Are you running FastCGI with different privileges for application
A and B?
Then you would end up with access error for session data files.
Try to run FastCGI with the same privilege or set different save
dir for app A and B. (Or use memcache or any other db based session
data storage)
Previous Comments:
------------------------------------------------------------------------
[2011-11-29 18:42:05] jgalvin at bnl dot gov
Description:
------------
Configuration: Windows Server 2003 SP2 + IIS 6.0 + PHP 5.3.8 + FastCGI 1.5 (We
have session.auto_start set to true in our php.ini file.)
When a user browses to a secure application, let's call it "Application A,"
which can either be under SSL or just have anonymous access turned off through
IIS and therefore requires authentication, then browses to another application,
we'll call "Application B," that does not require authentication, PHP throws
the following error:
Error: [2] Unknown: open(D:\PHP\Session\\sess_9ksat3tm0nk8lbfcfgk3pp99o0,
O_RDWR) failed: Permission denied (13) File: http://www.mysite.com/mypage.php
Line: 0 Error: [2] Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (D:\PHP\Session\)
File: http://www.mysite.com/mypage.php Line: 0
The reverse scenario also results in the error -- if the user browses to
Application B (no authentication) and then to Application A (which requires
authentication).
I was able to prevent the error from occurring by turning anonymous access off
in Application B, which forces the user to authenticate when accessing
Application B. However, this is not a viable solution because we have to allow
users to access public web applications without forcing them to authenticate.
So, simply put: How can we allow users to browse between secure sites and
public sites knowing that PHP wants to read/write to the same session data file
across these various sites, which causes the error as soon as the user goes
from a secure site to a public site or vice versa?
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60411&edit=1
