Macos changing user in Apache breaks PHP SESSION persistence

Question

I am using Macos built-in Apache server locally for development. I have developed a site which uses PHP and relies on session cookies to persist sessions. With the default Apache setup, everything was working fine, and session data was persisted correctly.

For ease of development, I wanted to change the User and Group in Apache to my username and group. I did this by editing /etc/apache2/httpd.conf, per instructions I found on the net. Restarted Apache, and every thing seems to work fine - <?php print `whoami` ?> shows the expected username (mine.)

HOWEVER, I have now started observing that the $_SESSION variable is no longer persisted.

I grepped /etc/php.ini to see if there was a line which included '_www' (the default Apache user and group) thinking that the PHP config had to be changed also to sync things up. However grep returned no lines as such.

Anyone know what is going on here, and how to fix this?

EDIT: I have checked session ids session_id() and verified that the same session ids are being used between pages.

Answer 1

PHP saves the session file in /var/tmp, eg. sess_1aas3b0jgjbbsoktg3fcehu5je. Session files here are 600 permissions, thus ONLY the owner can read or write to them. The browser saves the session cookie with the same id. Before changing the user and group in the Apache configuration, the session id was written as _www as the owner. After changing the user and group in the Apache config, if the session cookie was still alive in the browser, it would tell PHP to access that id, only now the user is xyz, and it cannot read or write that file.

The simple solution is to clear the session cookie in the browser (or wait until it expires.) PHP will now create a new session file with the new owner xyz.