Avoid problems with session files directory in PrestaShop

1749 readings
2022-08-31 (updated on 2024-03-22)
When PrestaShop added the use of PHP sessions, it did so in a simple way. It saves sessions to files, and it does so in the default directory established in PHP configuration. This is not advisable, I explain why and how to solve it.

Traditionally, the PrestaShop online store system, which works with PHP, did not make use of user sessions, despite being something that can be really useful within a web application. It started to do it at some point in the 1.7 branch, maybe when he incorporated Symfony. But, in some aspects, it is too crude, because the PHP session manager is used simply, without any customization from PrestaShop.

One of those aspects is the place where the sessions are saved, that is, the information about each user session. This is what is known in PHP as session save_path. Basically, it is the directory where files containing information for each session will be saved. And PrestaShop uses the default PHP configuration on the server. This is something that can be problematic.

Normally, the session save_path is a directory that, in the event that there are several websites on the same server, these different websites will share. This opens the door for sessions from two different websites to be mixed. Yes, it can happen if the same user visits those two sites from the same device, because PrestaShop also does not personalize the session name.

More over, if there are problems writing to the sessions directory, errors can occur in PrestaShop such as an infinite redirect, which ends up crashing the browser due to too many redirects in the backend, because security has been compromised.

For all these reasons, it is highly recommended to customize in PrestaShop the directory where the session files will be saved. Session management can be greatly customized in PHP, you can even save sessions in a database instead of files. But, at least, controlling the session save_path is something basic that can avoid "rare" problems that are sometimes difficult to determine their origin, because since PrestaShop does not use PHP sessions for everything, then you can see the store apparently working normally, but give you sad surprises.

How to define the sessions directory in your PrestaShop

Follow this help to learn how to change the session save_path in your PrestaShop and not use the default sessions directory

There is no option within PrestaShop to set this configuration parameter, but it can be done very easily, from code, without altering the PrestaShop source code at all, or compromising future PrestaShop version updates.

First of all, we have to be clear about which we want to be the new directory where PrestaShop saves session files. These are two good conditions that this directory should meet:

  • Be a directory within the account of the user who owns the website.
  • Not be reachable online.

With the first condition, we seek to avoid using a shared directory. For instance, if our website is example.com, we have cPanel, and the user is example, we will want to use a directory inside /home/example/</ em>, which is that user's folder. And the directory must have that same user and example group as owners, and permissions 0755. If we have Plesk, that user's folder would be /var/www/vhosts/ example.com/ and there is where we would like it to be the new directory for sessions. In Plesk, normally the owner user would be example and the group psacln.

With the second condition, we want to prevent the session files from being served and consulted via the web. For this, it is best to place the directory above the root directory of the website. In cPanel, the root directory of the website is public_html (within the user folder, discussed in the previous paragraph), and in Plesk it is httpdocs (also n inside the user folder).

Then, we can create a directory called tmp directly inside the user's folder (depending on the system), and confirm that it has the appropriate owners and permissions (discussed above). The tmp directory may already exist. We can call it sessions instead of tmp, or, even better, create a sessions directory inside tmp</em >.

If we did not have access above the web root, then we would create tmp/sessions within it, but we would immediately create a .htaccess file with this content:

Deny from all

That will prevent that directory to be accessible via web (as long as the server supports .htaccess).

Okay, we have already prepared our directory for the sessions, now we are going to tell PrestaShop to start using it as such. To do this, we will use the PHP function session_save_path. Yes, you are going to write a little bit of code, but don't be scared, it's just one line, very easy!

We are going to do it in a way that does not negatively affect your PrestaShop, without touching any of its source code, and maintaining compatibility with future PrestaShop updates. We will simply use the custom definitions file. Go to the config directory within the root of your PrestaShop store. Check if there is a file called defines_custom.inc.php, if it doesn't exist, create it. It's a file that, when it exists, PrestaShop always loads at the beginning of each execution, so it's great for establishing constants, configuration parameters, or things like that. Edit the file, and simply write the following:

<?php
session_save_path(dirname(__FILE__) . '/../../tmp/sessions');

In that example, we are telling that the sessions directory is tmp/sessions, one level above the store root.

Indicate there the directory you have decided to use. For example, to use tmp/sessions within the store root, it would be:

<?php
session_save_path(dirname(__FILE__) . '/../tmp/sessions');

Save the file and visit your store, both the front and backoffice. Then, verify that the session files are indeed being created in the chosen directory.

Be careful, if the file already exists and already has content, respect it. Simply add the line with the session_save_path function to the end of the file.

Remember that the recommended permissions for config/defines_custom.inc.php are 0644.

In summary

To define the PHP sessions directory to be used by your PrestaShop store, simply edit the config/defines_custom.php file (create it if it doesn't exist), and add the instruction:

session_save_path('path-to-dir');

For example:

session_save_path(dirname(__FILE__) . '/../../tmp/sessions');

Remember that at the beginning of the file there must be this line to indicate that it's PHP code:

<?php

It's quite easy, I hope I haven't bogged you down by giving too many explanations.