Empty LAMP Sessions [closed]

Question

I have a LAMP server. Users log in and authenticate against the MySQL database. After successful authentication, session_start() is called. At no point is regenerate_session_id() called. I'm experiencing multiple empty PHP/apache sessions being created. About every second a blank session file is created. In php.ini I have:

session.gc_probability = 1
session.gc_divisor = 1
session.gc_maxlifetime = 1440 

I realize this has nothing to do with session creation, but the settings for the GC. We set it to full throttle so it would handle all expired sessions, and hopefully clean up all the empty sessions. I do not know if blank sessions are expected, or if it's really a problem. My concern is with there being so many, it increases the likelihood of a successful session hijack. There is a duplicate machine that's used for testing and development, and it does not have this behavior. I was under the impression that a session file is only created by httpd when a user is authenticated, and the session_start() is called. I do not know what is causing the blank session files, if it's a legitimate problem, or if anyone else has experienced this behavior.

Making an auditctl rule to watch that directory, it's definitely apache creating them. Which checks out since apache is the owner:group of all of the empty files. This box is currently running apache 2.2.15. find . -type f | wc -l shows the file count steadily increasing. i caught it at over 640 after a couple of minutes, and I'm sure it gets worse even with GC processing what it can.

Answer 1

This should be a comment - but its a bit long.

You've not told us why this is unexpected nor provided any context.

• Have you tried to correlate the session creation with your access log?
• Do you expect to always find some data in the session?
• Have you reviewed your code to identify what scripts call session_start() without setting values?
• Have you tried instrumenting the code to always capture some data?
• Have you tested all the code in your site both to ensure that sessions were working as expected and error logging is working?
• have you checked your error log for "headers already sent"

Surely you have made some effort yourself to investigate? Yet you only mention using uditctl to see the files appearing - it should be obvious that this wasn't going to be much help in finding out what was triggering them.

The configuration you have shown us has got nothing to do with the creation of sessions. You might consider starting by reading a bit about how PHP sessions work.

Hint: if you add %{Set-Cookie}o to your access log format, then you'll be able to see which requests are creating which sessions. If you add an auto-prepend file, then you don't have to edit every file but could could add instrumentation to send data to the log and/or the session itself. The specifics of how you achieve this depend on whether you use session_start() in every script / in specific directory trees.

If it were me then I'd be modifying the log format and installing a custom session handler to capture more info via an auto-prepend but not changing the existing code base (if session_start() is not called in the script, then the overhead will be negligible). I would also be checking the configuration of error logging and checking the code for instances of error_reporting() to make sure problems were being reported.