Common PHP Configuration Changes

Following are some common PHP configuration changes that you might need for a server running PHP, including how to change session parameters and disable functions and classes.

How to change PHP session timeout

When you use sessions for your application, the data is typically stored in files on the server (though this too can be configured in the php.ini). Sessions are affected by a garbage collection process that cleans up any dead sessions, such as those that haven't been used for a certain number of minutes.

By default, the garbage collection process looks at sessions with a lifetime of 1,440 seconds. This means that the user needs to be idle for 1,440 seconds, and on the next attempt, his session may or may not be expired.

A common change is to that garbage collection process, typically to lengthen it. This change is typically implemented in the server-wide configuration but may apply at the site level too.

The php.ini setting to control this behavior is

session.gc_maxlifetime = 1440

How to change other PHP session parameters

Numerous other parameters can be set to control how sessions behave. Things like where session files are saved on the server and whether they use cookies are available to be changed. Some of the more common changes include setting the domain for the session cookie and the name of the session.

Both of these are typically set at the site level. The default value for the cookie_domain is empty, as reflected here:

session.name = PHPSESSID
session.cookie_domain = 

How to disable PHP functions and classes

You can use the php.ini to disable built-in functions or classes. You might find that you don't want people using certain PHP functions or there might be a security vulnerability discovered in a certain function. In any event, you can disable the function or class using these directives:

disable_functions = 
disable_classes =

Each function expects a comma-separated list of functions or classes to be disabled. For example, you might want to disable the exec() function. The following listing shows a simple PHP page to test this functionality.

<?php
 
$passwd = exec("ls -la /etc/passwd");
print "{$passwd}<br />\n";
 
 ?>

When viewed in a browser, the page looks like this:

image0.jpg

Changing the php.ini to disable that function means using this directive:

disable_functions = exec

Once Apache is restarted, the change will take effect. Reloading the page now results in the warning shown.

image1.jpg

If you're using a hosting provider, the exec() function may already be disabled. Also, you may not see the warning if your PHP configuration doesn't display errors.

How to change PHP error display

There are several configuration directives around the error display for PHP. For example, a development server would likely display errors at all times. This is set with the display_errors directive:

display_errors = On

A production server would likely never display errors to the user:

display_errors = Off

A related directive is the error_reporting directive. This complex directive informs PHP what to display for errors. You can configure PHP to report only errors that are fatal or you can display more minor errors like notices.

The error_reporting directive is somewhat complex. See PHP.net for more information if you need to change this directive.

How to change PHP resource limits

There are times when you need to change the maximum file size allowed, for when the file is received through a form POST or uploaded directly or received in another way altogether. The upload_max_filesize directive sets the maximum file size that can be uploaded, while the post_max_size directive sets the maximum size of a form POST. If you allow forms to upload files, chances are you need to change both directives.

Additionally, you may find that you need to change the memory limits imposed on a given PHP script or the execution time that a script runs. For example, if a user is uploading a large file, it may take several minutes. The memory_limit directive sets the amount of memory that can be used by a PHP program, and the max_execution_time directive sets how long a program can run.

You can change the maximum time for a script by changing the max_execution_time in the php.ini or by using the set_time_limit() function within an individual script. The set_time_limit() function is a common way to solve the problem of a long-running script while preserving the server-wide max_execution_time directive's value.

  • Add a Comment
  • Print
  • Share
blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.