I have a server running archlinux, lighttpd and php.
PHP is configured to store session files to a custom path: /tmp/php_sessions, instead of the default /tmp.
A startup script makes sure that /tmp/php_sessions is created before lighttpd is started, and that writing permissions are given to the http user.
This always worked OK. Today, I updated the entire system, and since then, it stopped working through lighttpd. However, from the CLI it still works.
Lighttpd runs as http user, so to check permissions I did this:
su http --shell=/bin/bash echo "<?php session_start(); ?>" | php
This correctly creates the a session file in /tmp/php_sessions. However, running a PHP file containing
<?php session_start(); ?>
through the webserver does not produce any errors at all, but no file is created in /tmp/php_sessions. When reloading the page, a error message like this will appear in the lighttpd logfiles:
2013-02-11 13:37:59: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning: session_start(): open(/tmp/php_sessions/sess_hcb2d4chg4hobal5r1g8mc2847, O_RDWR) failed: No such file or directory (2) in /srv/http/index.php on line 39
So, the cookie was correctly placed, but the session file is not created.
Commenting out the session.save_path line in /etc/php/php.ini 'solves' this problem, after this, the files are correctly created in /tmp/
/tmp is listed in open_basedir in /etc/php/php.ini
Any clues what might be causing this issue? Currently, I resorted to using /tmp, but I would strongly prefer to save the PHP session files separate from the rest of the /tmp contents.
php-fpm.service contains PrivateTmp=true which means that /tmp is actually a bind mount to /tmp/systemd-private-XXXXXX.
A way to solve this would be to move the php_sessions directory to e.g. /var/lib/php/sessions.