We have an array of autoscaling web servers on the cloud sharing sessions via a shared Network Attached storage.
We are considering other solutions but in the meantime I am looking for ways to make our system fault tolerant.
E.g. if shared storage is not available for whatever reason I would like php to ignore my session.save_path setting and fallback to the local filesystem instead.
Is there any clever workaround that would make this possible via standard php configuration?
You could use auto_prepend_file and do the check there and set the path to local if the path in the cloud is not available. This is not a fully automatic, ini only solution, but close to it.
Recommendation: if you want to share the session across several machines better use a database stored session solution.
Related
There are several methods to share PHP session with Node.js.
One method is saving the PHP session in a nonSQL Database such as Redis and access it through Node.js.
Another popular method is using a memcached server.
Both of the mentioned methods require:
1) Running another server.
2) Altering the default PHP Session handler.
Why shouldn't I use the default PHP Session handler and access the sessions files by reading the file content within Node.js using 'fs'(FileSystem) core library ?
What other reasons there are besides speed to not access and read the sessions files directly, assuming that no remote operations between servers should be done ?
One huge advantage to both of the external session server options is that it becomes much easier to server the PHP and Node apps from separate servers themselves. While it's possible to access another server's filesystem directly, as would be necessary using the Node fs library, it's much simpler and more scalable to externalize the sessions on a redis server, for example, and not have to worry about the filesystem at all.
I also recommend reading The Twelve Factor App for more good practices in this vein.
This answer is very comprehensive: Performance of Redis vs Disk in caching application
Apart from that consider that you could deploy your application and DB on remote servers, if you are using Redis or so. Especially if you are considering to containerize your application this will be an advantage.
I have php with nginx. I want to make PHP save it's sessions on RAM for security reasons. Is there any way doing it?
If it's impossible, is there is any advice to make php sessions unrecoverable from hard disk after the server is shutdown?
After a lot of searching I've found the Shared memory module of php, which can be used like persistent memory cache over sessions. is it shared with other applications too?, and how secure is it?
I would use memcached to store session data in RAM. If you are already using a database you might simply use a memory storage engine. However, I don't get what security reasons you have in mind. If you have concerns that somebody is able to access your session data then make sure that he is not able to do so. Regardless where they are stored as otherwise the security is completely broken.
Update
You told that the client and the server are running on the same physical machine. I can imagine of a kiosk application.
As a general advice the client needs to run as a different user. This is possible in Windows too. Then make sure that the client has a limited system access and is not able to access the secret data. that's it.
You might also consider to separate server and client using virtual machines.
The PHP HybridAuth require the use of PHP session, however, we want to avoid using server side session since we are running the app on multiple machine.
We don't mind if user need to authenticate with provider every-time when needed, so, is it possible to avoid the need of using PHP session when using the HybridAuth?
[1] http://hybridauth.sourceforge.net/userguide/HybridAuth_Sessions.html
Short answer is no.
A longer answer is that it is possible (but in most cases will require sessions on the authentication provider) but to explain the options here would take far too long and from the tone of your question you would need a very detailed description of the potential options.
But this based on a premise that you can't have sessions across multiple machines. This is trivial. Even running sessions across multiple datacentres is a simpler solution And since you don't appear to be using the session for anything other than authentication you are not going to run into problems of scalability.
If you don't use PHP session mechanism for your application, you can override the default session storage by creating your own storage functions, with awareness of multiple servers.
For instance:
http://php.net/manual/en/function.session-set-save-handler.php
You can then either set the session in Memcached (for this particular case, you should only use php.ini with the following instructions: http://php.net/manual/fr/memcached.sessions.php), or MySQL, or a physical storage accessible by all servers (such as NFS).
Although, I think that even if you have multiple servers, default is to redirect the user to the same IP address (in DNS Round-Robin declaration, or in standard load-balancers), so a unique storage on each server, not visible by the other servers, should work.
I have a client that is own a shared host the uses php sessions. The session save path is /tmp by default. They are having random logouts.
Could this be caused by any/all of these?
Garbage collection by other user on the server?
Someone clearing out /tmp files (User or cron). This seems unlikely as the host I am using is pretty well known
I can change the session save path to a folder under their control. Do you think this would be the best solution? I know shared hosts sessions are insecure as anyone can read them (and I think even write to them via nobody/apache user)
How can i manage sessions between 2 or more web servers are using to manage Load balancing ?
The points that i found are
Use database session CDbHttpSession
Use cache session CCacheHttpSession
Use Security manager CSecurityManager
As Yii project Lead Qiang said , There is only one thing you need to be careful, that is the validationKey of CSecurityManager. By default, this key is automatically/randomly generated the first time and is stored under runtime directory. In multiple server environment, you should explicitly configure this property so that all servers share the same key. This key is used widely to generate hash keys for various security-related measures.
You have a couple of options:
1) If your load balancer supports it, you can enable session persistence so that the user always is sent to the same server as the one they originally hit. The benefit of this is that it's easy to setup if you don't want to change any code. The downside is that if one of your servers goes down you lose all your sessions on that node.
2) Setup a shared memcache (not memcached) session between node1 and node2. The relevant settings being.
php.ini
session.save_handler memcache
session.save_path tcp://<ip1>, tcp://<ip2>
memcache.ini
memcache.allow_failover 1
memcache.default_port 11211
memcache.hash_strategy standard
memcache.max_failover_attempts 20
It's a little tricky to setup, but once you get it working you have full redundancy between both servers if one were to go down.
3) Setup a third node to manage sessions and configure php session.save_path to be that server's ip. The benefit of this is that sessions are now managed by a third server. The downside being you lose redundancy, if that server goes down you lose sessions.
this is the best answer that i got . But I cant Use APC !!
Is there any other methods ?