Documentation on PHP session garbage collection needs updating.

Bug #1772915 reported by Alastair Growcott
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.3 (Debian)
Fix Released
Unknown
php8.0 (Ubuntu)
Won't Fix
Low
Unassigned
php8.1 (Ubuntu)
Fix Released
Low
Athos Ribeiro
Jammy
Triaged
Wishlist
Unassigned

Bug Description

The Ubuntu distribution of PHP doesn't use the usual PHP mechanism of session garbage collection. It sets "session.gc_probability" to zero in the php.ini file, thus making it seem like garbage collection is disabled. In fact it still occurs but with a cron job.

In my Docker image, the PHP "sessionclean" program is being executed and it seems that this uses the "session.gc_maxlifetime" setting from the apache2 version of the php.ini file. However this is non-obvious and not documented in the php.ini file. Thus when recently rebuilding my Docker image for my web service, I started getting what seemed to be premature session timeouts and I couldn't figure out why and I ended up raising a bug on the PHP team (https://bugs.php.net/bug.php?id=76368).

If the Ubuntu team is going to modify the PHP package so it differs in behaviour from the description in the PHP provided documentation, then they need to provide updated documentation.

I would suggest that the simplest solution is to update the php.ini file so that where "session.gc_probability" is set to zero there is a short paragraph saying why (because it is handled by the cron job) and also make it clear somewhere in that file that the "session.gc_maxlifetime" setting is still relevant even though "session.gc_probability" is zero.

Tags: bitesize

Related branches

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug in Ubuntu, and sorry for taking so long to get to it.

This seems like a reasonable request.

Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → Low
tags: added: bitesize
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI this is added in Debian not Ubuntu quite a long time ago (2010):
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595706

Due to that I think we should actually add the info/doc/.. in Debian and not in Ubuntu as it applies there just as much. I'll open a bug there an quote your report.
Well actually this sounds the same
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831752

Since the above is closed I opened a new one.
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929631

Changed in php7.3 (Ubuntu):
status: New → Triaged
no longer affects: php5 (Ubuntu)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Added the remote bug and moved all to 7.3 as we won't fix that in older released I'd think

Changed in php7.3 (Debian):
status: Unknown → New
Revision history for this message
Ondřej Surý (ondrej) wrote :

@paelzer Could I get MR on salsa for this, please?

Changed in php7.3 (Debian):
status: New → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

Bumping to php7.4 so this doesn't get forgotten.

affects: php7.3 (Ubuntu) → php7.4 (Ubuntu)
Bryce Harrington (bryce)
affects: php7.4 (Ubuntu) → php8.0 (Ubuntu)
Bryce Harrington (bryce)
Changed in php8.0 (Ubuntu):
importance: Undecided → Low
tags: added: server-todo
Changed in php8.1 (Ubuntu):
importance: Undecided → Low
Changed in php8.0 (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Changed in php8.1 (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

The following section is available in debian/php-common.README.Debian (currently shipped in /usr/share/doc/php8.1-common/README.Debian.gz by php8.1-common) in all supported Ubuntu releases:

# BEGIN of README.Debian snippet
Session storage
----------------------------------------------------------------------

  Session files are stored in /var/lib/php/sessions. For security
  purposes, this directory is unreadable to non-root users. This means
  that PHP running from Apache HTTP Server, for example, will not be
  able to clean up stale session files. Instead, we have a cron job
  run every 30 minutes that cleans up stale session files;
  /etc/cron.d/php. You may need to modify how often this runs, if
  you've modified session.gc_maxlifetime in your php.ini; otherwise,
  it may be too lax or overly aggressive in cleaning out stale session
  files.

  WARNING: If you modify the session handling in any way (e.g. put
  session files in subdirectories, use different session handler), you
  always have to check and possibly disable or modify the session
  cleanup cron job that is located in /etc/cron.d/php.
# END of README.Debian snippet

The original snippet dates from 2004 and is available since the php4 package.

php4 also had the following snippet in debian/patches/006-debian_quirks.patch to change the ini file:

-session.gc_probability = 1
+; This is disabled in the Debian packages, due to the strict permissions
+; on /var/lib/php4. Instead of setting this here, see the cronjob at
+; /etc/cron.d/php4, which uses the session.gc_maxlifetime setting below
+;session.gc_probability = 0

This snippet was removed from the debian_quirks patch a while ago (php5), most likely due to the changes on how the ini files are shipped. The session.gc_probability value change is now performed with sed in debian/rules.

While the original Debian bug with the documentation request (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831752) did not seem to account for the information available in the README.Debian file, it did suggest that we should document this difference from upstream in the ini files.

Hence, it would be nice to introduce the snippet (with any necessary changes) back in the ini files. However, since this is already documented in the README.Debian file, I am unsure if this would be fit for SRUs. I will file a Salsa MR for the Debian package as requested by Ondřej.

For anyone else digging into this bug, here are some other relevant info:

Debian bug that resulted in the relevant change to use the cronjob: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267720

Later regression, related to the cronjob being in place: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595706

Upstream bug report on the "odd" behavior spotted in the Ubuntu package: https://bugs.php.net/bug.php?id=76368

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I filed

https://salsa.debian.org/php-team/php/-/merge_requests/11

to document the changed values in the ini files.

Changed in php8.1 (Ubuntu):
status: New → Triaged
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php8.1 - 8.1.2-1ubuntu4

---------------
php8.1 (8.1.2-1ubuntu4) kinetic; urgency=medium

  * d/p/0046-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
    function attributes. (LP: #1882279)
  * d/rules: document garbage collection in ini files. (LP: #1772915)

 -- Athos Ribeiro <email address hidden> Mon, 02 May 2022 19:54:49 -0300

Changed in php8.1 (Ubuntu):
status: Fix Committed → Fix Released
tags: removed: server-todo
no longer affects: php8.0 (Ubuntu Jammy)
Changed in php8.1 (Ubuntu Jammy):
status: New → Triaged
importance: Undecided → Low
Changed in php8.0 (Ubuntu):
assignee: Athos Ribeiro (athos-ribeiro) → nobody
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote (last edit ):

Since this has been fixed in kinetic and considering it is already documented in README.Debian, I am removing the server-todo tag here and targeting this to jammy as well. We could consider either having a staged SRU for this one or closing it as won´t fix.

Changed in php8.0 (Ubuntu):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
status: Triaged → In Progress
Changed in php8.0 (Ubuntu):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
status: In Progress → Triaged
Changed in php8.0 (Ubuntu):
status: Triaged → Won't Fix
Changed in php8.1 (Ubuntu Jammy):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Move on for now.

Changed in php8.1 (Ubuntu Jammy):
importance: Low → Wishlist
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Due to other important issues, I decide to unassign myself.

Changed in php8.1 (Ubuntu Jammy):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This is still valid. If anyone wants to tackle this one, remember it should be staged given the low priority nature on this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.