Edit report at https://bugs.php.net/bug.php?id=60411&edit=1
ID: 60411
User updated by: jgalvin at bnl dot gov
Reported by: jgalvin at bnl dot gov
Summary: Session Error When Browsing Between Secure and
Non-Secure Subdirectories
-Status: Feedback
+Status: Open
Type: Bug
Package: Session related
Operating System: Windows Server 2003 - IIS 6
PHP Version: 5.3.8
Block user comment: N
Private report: N
New Comment:
Thank you very much for your helpful advice, yohgaki.
UPDATE: After giving the Internet Guest Account (IUSER_MACHINENAME) the
following permissions on the folder where the session files are stored, the
error no longer occurred when going from a "secure" site requiring
authentication to a "public" site that does not require authenticaiton.
Permissions:
- List Folder / read Data
- Read Attributes
- Read Extended Attributes
- Create Files / Write Data
- Create Folders / Append Data
- Write Attributes
- Write Extended Attributes
However, the error was still occurring when browsing sites in the opposite
direction -- going from a "public" site that does not require authenticaiton to
a "secure" site that does require authentication.
By adding the "Authenticated Users" account to the session folder (with the
same permissions listed above), the error no longer occurs.
So, the problem appears to be resolved. However, since I do not have any
experience with server administration, I am not entirely sure that the solution
described above is appropriate and won't introduce any additional
volunerabilities by giving these two additional users permission on the session
folder. Any thoughts?
Previous Comments:
------------------------------------------------------------------------
[2011-11-30 00:10:45] yohg...@php.net
Are you running FastCGI with different privileges for application
A and B?
Then you would end up with access error for session data files.
Try to run FastCGI with the same privilege or set different save
dir for app A and B. (Or use memcache or any other db based session
data storage)
------------------------------------------------------------------------
[2011-11-29 18:42:05] jgalvin at bnl dot gov
Description:
------------
Configuration: Windows Server 2003 SP2 + IIS 6.0 + PHP 5.3.8 + FastCGI 1.5 (We
have session.auto_start set to true in our php.ini file.)
When a user browses to a secure application, let's call it "Application A,"
which can either be under SSL or just have anonymous access turned off through
IIS and therefore requires authentication, then browses to another application,
we'll call "Application B," that does not require authentication, PHP throws
the following error:
Error: [2] Unknown: open(D:\PHP\Session\\sess_9ksat3tm0nk8lbfcfgk3pp99o0,
O_RDWR) failed: Permission denied (13) File: http://www.mysite.com/mypage.php
Line: 0 Error: [2] Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (D:\PHP\Session\)
File: http://www.mysite.com/mypage.php Line: 0
The reverse scenario also results in the error -- if the user browses to
Application B (no authentication) and then to Application A (which requires
authentication).
I was able to prevent the error from occurring by turning anonymous access off
in Application B, which forces the user to authenticate when accessing
Application B. However, this is not a viable solution because we have to allow
users to access public web applications without forcing them to authenticate.
So, simply put: How can we allow users to browse between secure sites and
public sites knowing that PHP wants to read/write to the same session data file
across these various sites, which causes the error as soon as the user goes
from a secure site to a public site or vice versa?
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60411&edit=1
