In response to Debians security efforts to stop session stealing on shared-hosting servers, and after a few requests from concerned sysadmins, I've developed an application to clean the PHP session directory as an alternative to the cron job route.
From the README.Debian file and following up bug reports #321460 and #267720:
Session files are stored in /var/lib/php5. For security purposes, this directory is unreadable by non-root users. This means that php5 running from apache, for example, will not be able to clean up stale session files. Instead, we have a cron job run every 30 mins that cleans up stale session files; /etc/cron.d/php5. You may need to modify how often this runs, if you've modified session.gc_maxlifetime in your php.ini; otherwise, it may be too lax or overly aggressive in cleaning out stale session files.
The application is called `Sescle`, e.g. the php session cleaner, it monitors the PHP session directory using the Linux inotify interface and removes files if they haven't been modified for longer than the session.gc_maxlifetime duration.
The latest beta release is 0.1 and is available for download at: http://www.midnight-labs.org/sescle/php-sescle-0.1.tar.gz
More information can be found at the Sescle homepage, or by subscribing to the Sescle freshmeat project.
Leave a Reply