Ubuntu – PHP Sessions directory is filling up and overflowing

apache-2.2PHPUbuntu

Running PHP, Apache2… Our login stopped working and anything trying to grab session data. It all stopped working randomly at 7pm last night.
I found out the sessions directory is being filled with tons of sessions per second. If I remove all the sessions it fills up quickly again. Access logs for some reason have stopped working.
Does this sound like an attack… If so what can I do to stop it?

Best Answer

It sounds like the code you are using to close a session is not working, or does not exist. You need to destroy the sessions using the following:

To destroy all sessions:

<?php
session_destroy();
?>

or use this to destroy individual pieces:

<?php
if(isset($_SESSION['views']))
  unset($_SESSION['views']);
?>

Taken from here: W3Schools PHP Sessions

Related Solutions

Php – Memcache+PHP session tuning: How does memcache expire keys

We've encountered this as well, but have managed to dig into it and work out exactly what's going on. The symptoms we encountered was that memcache (with a reasonably large memory allocation running across multiple servers) started to evict content. This is undesirable, as it can adversely affect current visitors on the site.

By monitoring network traffic, we saw messages from PHP to Memcache as follows:

set memc.sess.key.abcdabcdabcdabcdabcdabcd 0 0 1823 data...

It's the second zero that causes the problems - this dictates the length of time that memcache caches the item. By setting it to zero, memcache never expires this item. In your case this meant users could return hours later and continue accessing your site. In our case, memcache was filling up and causing desired data to be evicted.

I dug further, and it boils down to the PHP memcached extension. As of 1.0.2 (which we're running), this code reads:

sess_lifetime = zend_ini_long(ZEND_STRL("session.gc_maxlifetime"), 0);
if (sess_lifetime > 0) {
    expiration = time(NULL) + sess_lifetime;
} else {
    expiration = 0;
}

In this excerpt, it's ZEND_STRL("session.gc_maxlifetime") which isn't returning the expected value. This has been reported as a bug to PHP, and a fix to the memcached library is described at https://bugs.php.net/bug.php?id=59641.

I've deployed this patch, reviewed network traffic, and found that it does set the expiry time as expected.

PHP Sessions Directory – Keeps Filling Until Overflowing

session.save_path = "N;/var/www/data/sessions"

The doesn't seem to be causing a problem (as PHP is obviously generating sessions), but isn't right.

The two formats for this option are:

/path/to/sessions
N;/path/to/sessions

The integer N defines how many sub-directories to create under the specified path, useful to spread the session files out over lots of directories if you expect a lot of session files. (You've already discovered that systems don't like lots of files in one directory...)

session.gc_probability = 0

This is most likely the main problem (unless PHP automatically handles someone setting this incorrectly to 0)

The probability that the cleanup will happen is defined by probability/divisor. 0/1000 is 0 so will likely never run.

Edit: Regarding deleting the files, you may just have to wait for it to finish. If it's millions of files it probably will seem like it's hanging.

Best Answer

Related Solutions

Php – Memcache+PHP session tuning: How does memcache expire keys

PHP Sessions Directory – Keeps Filling Until Overflowing

Related Topic