Fixing your session save path

Kindly note that the advice on this page applies for all PHP applications, including Joomla! and WordPress. It is not specific to Akeeba Panopticon. It is specific to PHP and how a server needs to be set up to serve PHP applications.

Why do you need a session save path and what does it do?

PHP is a stateless language. This means that it does not, by default, save its state between requests. It has no idea who you are, and that it's seen you before. Think about Dory in Finding Nemo.

Of course, this would be a major problem as it would not let us write applications where the user can log in. This is solved using sessions. PHP sets a cookie on your browser with a unique session identifier the first time it “sees” you, and reads it every next time. Us developers can store bits of information, e.g. if you are logged in and which user ID is yours, using this session identifier. PHP stores them in a small text file on the server. Next page load that comes from you with that session identifier in the cookies, we can read that information. There are of course other security controls, but that's the concept of sessions that you need to know.

As you noticed, PHP needs to save session information in small text files. These files are saved in PHP's Session Save Path.

Some servers are misconfigured, telling PHP to use a directory to which it has no write and/or save permissions. This makes it impossible for PHP to have sessions, therefore it makes things like logging in impossible. Akeeba Panopticon detects that problem and lets you know for the obvious reason that until it's fixed you'll be unable to log into Panopticon, therefore unable to monitor your sites!

How do you fix this problem?

In general, it is best to let your host know that the PHP session save path is unwriteable. This is a fundamental issue with their hosting environment configuration they should be aware of and fix.

If you are your own host

If you are your own host you can edit your PHP configuration file (php.ini, usually found under /etc/php/8.1 where 8.1 is your PHP version). Look for the session.save_path configuration parameter and edit it.

Remember that you will need to restart the web server service (if you are using PHP as an Apache module, or a CGI/FastCGI script) or the PHP-FPM service (if you are using PHP through the PHP FastCGI Process Manager) for the changes to take effect.

If you are on a host using PHP as an Apache module

First, create a new subdirectory called session inside the Panopticon installation's tmp folder. This is a safe place, as it's protected against direct web access on most hosts.

You will need to modify your .htaccess file as well. If you do not have a .htaccess file yet, we recommend that you copy Panopticon's htaccess.txt into a new .htaccess file. Edit the .htaccess file and add this line at the bottom:

php_value session.save_path /path/to/tmp/session

where /path/to/tmp/session is the absolute path to the tmp/session path you created in the previous step.

If you are not sure what is the absolute path, please ask your host.

If you are on a host using PHP as a CGI/FastCGI script, or with PHP-FPM (FastCGI Process Manager)

First, create a new subdirectory called session inside the Panopticon installation's tmp folder. This is a safe place, as it's protected against direct web access on most hosts.

Next up, you need to create a new file .user.ini in Panopticon's installation folder, i.e. where its index.php file is. Please pay attention at the dot in front of the file name! The contents of that file need to be:

session.save_path=/path/to/tmp/session

where /path/to/tmp/session is the absolute path to the tmp/session path you created in the previous step.

If you are not sure what is the absolute path, please ask your host.

Please note that creating or changing the contents of this file may take about 5 minutes to apply. This time limit is configured in PHP's server-wide configuration file; it's not something we have any control over.

What if this does not help?

On some misconfigured hosts, the web server runs under a different user than your FTP / SFTP user. This configuration means that a folder you create over FTP / SFTP, or with the hosting control panel's file manager will not be writeable by PHP itself.

On those hosts you will additionally need to give 0777 permissions to the tmp/session folder to make it writeable by PHP.

We strongly recommend against using this kind of hosting, though, and we consider this kind of configuration as a big red flag about the security of the hosting environment. The writability issue of this kind of configuration is well-understood and solved in the early 2000s with the introduction of suPHP and, later, with PHP-FPM. If your host has not updated their hosting configuration to address this well-understood issue in the past 20 years it's unlikely that they understand security, therefore very likely that will have made other grave security-related mistakes in their configuration. Hence, our strong advisory against using such a hosting environment.

If you are your own host, remember that you should NEVER be using PHP as an Apache module. This is a legacy mode of operation, dating back to early 2000, when PHP was a very young and immature language that was most suitable for light pre-processing of otherwise static HTML pages, not the powerful language it is today. You should always be using PHP-FPM with a pool that runs under the same user and group as your regular login account (therefore, the same user and group you use when managing your site's files with FTP / SFTP).