6

I am occasionally getting the following error when loading a PHP page:

PHP Notice:  session_start(): ps_files_cleanup_dir: opendir(C:\Windows\TEMP) failed: No error (0) in C:\server\default.php on line 299

Month-old sess_ files in C:\Windows\TEMP still exist.

I am running PHP 5.6.5 on IIS on Windows 8.1.

Why is PHP unable to perform garbage collection, and how do I fix it?

Mooseman
  • 163
  • 1
  • 7

3 Answers3

5

Session temporary files are created in this directory as per the ‘session.save_path’ property in php.ini. Without the permissions to delete files in this directory PHP is unable to remove these files as part of its normal session garbage handling process and so they accumulate when they are no longer needed/you will occasionally see this error whenever garbage collection is performed.

The Application Pool user, which is the one that actually runs the PHP executable, needs at least modify permissions on C:\Windows\TEMP to perform garbage collection (this is not granted by default). If you have not changed this user from the default then it should be 'DefaultAppPool', or you can use the App Pool group, which will be similar to IUSRS.

Best practice is to create a new Application Pool for each site. When you do this IIS will create a Windows user which you can then grant modify permissions to. You can script this or do it from the command line using the following command:

icacls c:\windows\TEMP\ /inheritance:e /grant "IIS APPPOOL\your-user:(OI)(CI)M" /t /c /Q

Update: As Gremio notes, you should move the session files to a specific directory, so that you are not granting write access for this user (that may be exploited) to whatever else Windows stores in the TEMP directory. You can modify the sessions save settings in the php.ini, globally, or specifically for your application at run time (details here).

Dean
  • 166
  • 1
  • 4
  • I would not grant Modify for C:\Windows\Temp to an account used by a web server (including IIS, phpcgi, Python, Etc.). There's just no telling what could end up there. You could instead change the path for sessions to something else where you can grant the account M. Or you could just give the account 'list folder' as users have everything they need by default (which these accounts are unspoken members of) except list folder. Granted, if a hacker can exploit the code and access that location, they're potentially taking over sessions no matter what you do. – Gremio Jan 18 '18 at 18:54
0

I found that the easiest way to deal with this problem was to change the path being used to save temporary information to one of my choosing, followed by setting the appropriate security permissions.

To change the path used to store temporary files:

  1. Edit the php.ini for your installation (mine was located in C:\Program Files\PHP\v7.4).
  2. Located the session.save_path setting.
  3. Change the path from C:\Windows\Temp to a folder of your choosing. I created a folder specifically for this.

To change the permissions on the folder you specified above:

  1. Right-click on the folder in Windows Explorer and choose Properties.
  2. Choose the Security tab.
  3. Click Advanced to open the Advanced Security Settings popup.
  4. Click Change Permissions.
  5. Click Add... to add a new user.
  6. Type in IIS_IUSRS as the object name and click OK.
  7. On the Permissions Entry popup, tick the settings for Full control under the Allow column.
  8. Click OK to return to the main Permissions list.
  9. Make sure to select the checkbox at the bottom of the page that states Replace all child object permissions with inheritable permissions from this object.
  10. Click OK and confirm all the other popups and windows.

PHP should immediately begin to use the new folder location for session and temporary data.

Martin
  • 201
  • 2
  • 5
-2

Just give Full Permissions to the User "IUSR" on the Directory "C:\Windows\Temp". Maybe just Directory Listing and Deleting is enough... but in a non-productive system this shouldn't be a problem.