open_basedir vs sessions

On a virtual hosting server I have the open_basedir set to .:/path/to/vhost/w开发者_Go百科eb:/tmp:/usr/share/pear for each virtual host. I have a client who's running WordPress and he's complaining about open_basedir errors thus: PHP WARNING: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/var/lib/php/session/sess_42k7jn3vjenj43g3njorrnrmf2) is not within the allowed path(s): (.:/path/to/vhost/web:/tmp:/usr/share/pear) So the PHP session save_path isn't included in open_basedir but sessions across all sites on the server seems to be working fine apart from in this intermittent instance. I thought that perhaps the default session handler ignored open_basedir and this warning was caused by WP accessing the session file directly.

However from what I can see PHP 5.2.4 introduced open_basedir checking to the session.save_path config: http://www.php.net/ChangeLog-5.php#5.2.4 (I am on PHP 5.2.13).

Any ideas?

Set the session.save_path in the ini file to point inside the open_basedir and add a .htaccess file to prevent users from accessing the files using a browser?

C.

PHP manual says: "The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir()."

Having all vhosts pointing to the same session.save_path is also not the best idea. A PHP script can easily change garbage collection settings. In a session file there is no information about the owning application. The garbage collector will collect all accessible files. If you wonder why sessions expire earlier than expected, the reason can be other applications with shorter expiration times. From a security point of view each application should use its own directory for session files.

Now it is easy to solve the problem. Include the separated session.save_path in the open_basedir of this vhost. Then ask the WordPress people why a PHP script should have access to other user's session data.