Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Fix: Warning: session_save_path()


AlanR

Recommended Posts

Due to a change by hosts to Safe Mode and/or an upgrade to php many people are getting warnings like this:

 

Warning: session_save_path(): SAFE MODE Restriction in effect. The script whose uid/gid is 10043/10001 is not allowed to access owned by uid/gid 0/0 in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 118

 

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/general.php on line 1174

 

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 67

 

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php:118) in /usr/local/psa/home/vhosts/sumdomain.com/httpdocs/catalog/includes/functions/sessions.php on line 67

What's happening is that osc is no longer able to write to /tmp on the server. It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory.

 

function tep_session_save_path($path = '') {
if (!empty($path)) {
  return session_save_path($path);
} else {
  return session_save_path();
}
 }

 

iosysuk (Ian) tracked down the solution here...

 

Cause : Previous bug in PHP fixed in latest version (Chances are your ISP has updated to the new version)

 

Fix: Goto Admin / Configuration / Sessions and change the "Sessions Directory" to tmp (no slashes)

 

If you can't get into Admin, goto your Database Admin page (usually PhPAdmin app.)

Click on any table on the left hand side.

Click on SQL at the top of the screen

Overtype whatever appears in the SQL window with ...

 

UPDATE configuration SET configuration_value = 'tmp' WHERE configuration_key='SESSION_WRITE_DIRECTORY'

 

Click Go

You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136.

 

Session Directory SESSION_WRITE_DIRECTORY /tmp

 

Simply change /tmp to tmp

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

On one server, this works for me in Admin, but not in Catalog.

 

See any problem changing sessions.php to read like this?

function tep_session_save_path($path = '') {
  if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db
if (!empty($path)) {
  return session_save_path($path);
} else {
  return session_save_path();
}
 }
}

 

-jared

Link to comment
Share on other sites

On one server, this works for me in Admin, but not in Catalog.

 

See any problem changing sessions.php to read like this?

function tep_session_save_path($path = '') {
  if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db
if (!empty($path)) {
  return session_save_path($path);
} else {
  return session_save_path();
}
 }
}

 

-jared

Shouldn't be a problem. It was always an option to turn off the test for the directory itself if you're saving sessions in the database. The only objection I'd have it that it makes the installation less standard.

 

There was another person who found the same result as you did. In his case we went back to creating a directory somewhere within his web space, ie:

 

/usr/home/sumname/public_html/catalog/mysessions or

/usr/home/sumname/public_html/mysessions or

 

and then setting the session save path to that. That solved his problem.

 

It's the cases where a user can't even get into admin that the mySQL approach is most valuable.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

To summarize Jared's solution for newbies.

 

1) In catalog/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

 

You can also apply the same fix to the admin section.

 

1) In catalog/admin/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/admin/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

To summarize Jared's solution for newbies.

 

1) In catalog/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

 

You can also apply the same fix to the admin section.

 

1) In catalog/admin/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/admin/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

 

I'm trying to run my online osc to my local pc, the catalog part works fine but the admin doesnt. So i tried searching the forum for help....

 

After changing the Session Directory value from /tmp to tmp... i'm getting this error:

----------------------------------------------------------------------------

Fatal error: Cannot re-assign $this in D:\xampp\xampp\htdocs\sylviareynosogala\recipes\admin\includes\classes\upload.php on line 31

------------------------------------------------------------------------------

and when i tried commenting that line 32 (contains: $this = null;) the admin works fine but i dont know if it affects the admins functionality. Please help. i want to run this on my local pc so that i can modify the look faster.

 

thanks alot guys!!!

Link to comment
Share on other sites

I'm trying to run my online osc to my local pc, the catalog part works fine but the admin doesnt. So i tried searching the forum for help....

 

After changing the Session Directory value from /tmp to tmp... i'm getting this error:

----------------------------------------------------------------------------

Fatal error: Cannot re-assign $this in D:\xampp\xampp\htdocs\sylviareynosogala\recipes\admin\includes\classes\upload.php on line 31

------------------------------------------------------------------------------

and when i tried commenting that line 32 (contains: $this = null;) the admin works fine but i dont know if it affects the admins functionality. Please help. i want to run this on my local pc so that i can modify the look faster.

 

thanks alot guys!!!

That's due to a change in php5

 

See: http://www.oscommerce.com/ext/update-20051...l#_Toc119693703

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

  • 4 months later...
To summarize Jared's solution for newbies.

 

1) In catalog/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if (!empty($path)) {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

 

You can also apply the same fix to the admin section.

 

1) In catalog/admin/includes/configure.php ensure that the last line is set to

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

2) In catalog/admin/includes/functions/sessions.php find:

 

function tep_session_save_path($path = '') {

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

 

Change to:

 

function tep_session_save_path($path = '') {

if (STORE_SESSIONS != 'mysql') { // added this line to turn off this checking if storing session info in db

if ($path != '') {

return session_save_path($path);

} else {

return session_save_path();

}

}

}

 

 

Could U tell me what reason detail?

:)

Link to comment
Share on other sites

  • 3 weeks later...

thanks, suddenyl came across the error message this morning, used the phpMyAdmin and changed the '/tmp' to 'tmp' as shown above and it worked lovely!!

 

Nicely done chaps.

Link to comment
Share on other sites

  • 2 weeks later...
Session Directory SESSION_WRITE_DIRECTORY /tmp

 

Simply change /tmp to tmp

 

This is a very bad idea actually. If the sessions are stored in a file (not in the dbase) removing the front slash makes the path to be relative to the osc catalog. So now your sessions are stored in:

 

catalog\tmp

 

And of course they are accessible and can be downloaded by everyone. In other words

 

Lets see what we have here:

http://mysite.com/catalog/tmp/

 

You should always set the sessions path to be outside your domain with a fully qualified path.

 

So if the root of the site is here

/some_home_path/httpdocs/

 

And the osc catalog

/some_home_path/httpdocs/catalog/

 

You want to set the path outside of all this, to something like:

/some_home_path/private_sessions/

 

This way the session file cannot be accessed from the outside.

 

PS: And the same for any cache files you're possibly using.

Link to comment
Share on other sites

This is a very bad idea actually. If the sessions are stored in a file (not in the dbase) removing the front slash makes the path to be relative to the osc catalog. So now your sessions are stored in:

 

catalog\tmp

Storing sessions in a file is bad practice in general for shared servers, read the first post again...

 

It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory.

Complete credit card numbers can be found in those session files.

 

However, if you read through the thread completely you'll see that the real issue is the fact that the directory must be found (or the code modified so as not to check for the directory's existence) or an error will occur.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

doesn't matter if it's shared or dedicated because removing the front slash opens the security hole. Not only the default osc comes with sessions in files, but there are plenty of posts in the forums recommending to use the "tmp" as a solution.

 

And then there is the possibility someone decides to flip the setting from mysql to '' just because the mysql access on his server is slow. Too many cases this can cause problems. It's best to set that path always outside the domain.

Link to comment
Share on other sites

doesn't matter if it's shared or dedicated because removing the front slash opens the security hole. Not only the default osc comes with sessions in files, but there are plenty of posts in the forums recommending to use the "tmp" as a solution.

 

And then there is the possibility someone decides to flip the setting from mysql to '' just because the mysql access on his server is slow. Too many cases this can cause problems. It's best to set that path always outside the domain.

 

I have my configure.php set to store sessions in mysql...so this should not be a concern..but I have to agree..you can never have too much security. Even though it probably will never change to store sessions in files...i did set the path to a folder outside the domain instead of in the root public html folder.

 

It doesn't hurt right?

 

:thumbsup:

Link to comment
Share on other sites

I have my configure.php set to store sessions in mysql...so this should not be a concern..but I have to agree..you can never have too much security. Even though it probably will never change to store sessions in files...i did set the path to a folder outside the domain instead of in the root public html folder.

 

It doesn't hurt right?

 

:thumbsup:

I'm not at all sure that enigma is correct in his assertion. Seems to me that if he was correct and removing the slash before tmp directed osC to a directory within user web space we'd have lots of people posting that they had problems with the directory not being found. Directories are not magically created.

 

Nowhere in the post does it suggest creating a tmp directory within user web sapce and no one has ever mentioned the problem of the directory not being found. If it was indeed within user web space the full file system path would need to be specified.

 

Refer back to the thread I linked in my first post where a user (iosysuk) first tracked down the cause of the problem.

 

http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=754745

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I'm not at all sure that enigma is correct in his assertion. Seems to me that if he was correct and removing the slash before tmp directed osC to a directory within user web space we'd have lots of people posting that they had problems with the directory not being found. Directories are not magically created.

 

Nowhere in the post does it suggest creating a tmp directory within user web sapce and no one has ever mentioned the problem of the directory not being found. If it was indeed within user web space the full file system path would need to be specified.

 

Refer back to the thread I linked in my first post where a user (iosysuk) first tracked down the cause of the problem.

 

http://www.oscommerce.com/forums/index.php?s=&...ndpost&p=754745

 

Here is a quote from a post you may want to read:

http://www.php.net/manual/en/function.session-save-path.php

 

All users on web hosting should choose an dir below the HTTP directory struct, but within their user area to store the session files.

 

so no you never want to specify sessions or cache files to be stored within the webspage. You should store them in the private user area.

Link to comment
Share on other sites

Here is a quote from a post you may want to read:

http://www.php.net/manual/en/function.session-save-path.php

so no you never want to specify sessions or cache files to be stored within the webspage. You should store them in the private user area.

That's a given and agreed with. We all know that.

 

My point is that the change from /tmp to tmp does not mean that there is magically a tmp directory in user public web space.

 

The original poster (iosysuk) somewhere found a note which indicated that the top level server tmp file is accessed using tmp rather than /tmp when running under safe mode in more recent versions of php. It's when that change occurred that lots of people started posting the errors this thread addresses.

 

As far as I can see, the change does not switch the directory to any other than the top level server /tmp, it just changes the way php finds that directory. Remember that this has solved the problem many people found and none have ever come back and said they got a "directory not found" error and they never created a new tmp folder. I think you're jumping to a conclusion without basis and possibly confusing people who need to solve the problem this thread addresses.

 

I don't use servers running under safe mode which require this change, if I use /tmp it works just fine so I can't test for this myself.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

That's a given and agreed with. We all know that.

My point is that the change from /tmp to tmp does not mean that there is magically a tmp directory in user public web space.

 

I did not say the tmp directory is created by your tip. I pointed to one thing only and that is

 

the recommendation changing the session path from /tmp to tmp.

 

It's very easy to replicate the problem it on a unix or windows server. Just follow these steps:

1. Install osc

2. Create a tmp directory at the user space root level.

3. Create a tmp directory at the osc catalog level.

4. Enter the store with your browser do a couple of clicks such that a session file is generated.

5. Check & Verify the session files are now stored at the root user space root tmp folder (and not anywhere else - they should)

6. Goto the osc admin->configuration->sessions, modify the session path from /tmp to tmp, removing the front slash.

7. Erase the session files from the userspace root tmp folder.

8. Repeat step 4. and then check again the userspace root tmp folder as well as the catalog tmp folder.

 

You will notice the sessions are now stored in the catalog tmp folder. In other words the sessions are accessible from the outside.

 

You can also try it on a localserver with windows os by creating the tmp like c:\tmp at the root level. Same thing happens.

 

That was basically my point. Now when someone tries to get rid of the folder warning he may try to create a tmp folder at the catalog level of his store. Thus creating the security hole. Should be explicitly stated to setup a fully qualified path as the session directory outside the webspace. Same can happen with the cache.

Link to comment
Share on other sites

It's very easy to replicate the problem it on a unix or windows server. Just follow these steps:

2. Create a tmp directory at the user space root level.

3. Create a tmp directory at the osc catalog level.

Exactly. And completely obvious.

 

Nowhere in this thread is there an instruction to create these directories. I only created this thread as a simple method for pointing newbies to a solution for a problem.

 

All you've succeeded in doing is muddying up what was a simple thread.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

  • 9 months later...

Thank you :thumbsup: It worked perfect for me.

 

Rob

 

 

Exactly. And completely obvious.

 

Nowhere in this thread is there an instruction to create these directories. I only created this thread as a simple method for pointing newbies to a solution for a problem.

 

All you've succeeded in doing is muddying up what was a simple thread.

Link to comment
Share on other sites

  • 9 months later...
  • 9 months later...

As a newbie to php, mysql and oscommerce, this forum post helped me out. Big thanks.

 

I edited the following to solve the errors.

"You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136. Session Directory SESSION_WRITE_DIRECTORY /tmp Simply change /tmp to tmp "

Link to comment
Share on other sites

  • 6 months later...

chek the value of DIR_FS_CATALOG in configure.php

 

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

  • 3 months later...
Due to a change by hosts to Safe Mode and/or an upgrade to php many people are getting warnings like this:

 

What's happening is that osc is no longer able to write to /tmp on the server. It does not matter if you have sessions set to mysql in your catalog/includes/configure.php file (always best on a shared server), sessions.php still queries for the directory.

 

function tep_session_save_path($path = '') {
if (!empty($path)) {
  return session_save_path($path);
} else {
  return session_save_path();
}
 }

 

iosysuk (Ian) tracked down the solution here...

 

You can also just use phpMyAdmin to edit the value directly. It's in table: configuration at about line 136.

 

 

Oh, the joy. I just changed that one line in my supanames panel database editor, and those flipping warnings just VANISHED!!! Thank you soooo much :-D

 

Mel

Session Directory SESSION_WRITE_DIRECTORY /tmp

 

Simply change /tmp to tmp

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...