Until Fedora 17, session.save_path default value (in php.ini) was set to
/var/lib/php/session, which is owned by apache, raising some issues:
- for session created by root (cannot be cleaned by apache)
- for other daemon/user (cannot create file here)
Starting with Fedora 18 (php 5.4.7-2), this value is to be set per SAPI
- no default value in php.ini (so /tmp used)
- probably no security issue as
each daemon (should) have PrivateTmp
each session file have 600 mode.
- mod_php will use value set from apache configuration in
- php-fpm wil use value from each pool configuration file
I think most nginx / lighttpd configuration now use fastcgi via php-fpm.
If some still use "php-cgi", they need to add -d session.savepath="xxx"
to the commande line. But is this still used ?