Thanks @nas and @stephdl for pointing this out! I agree we need to fix this value.
Each application could define its session storage method. I think the best place to set session.save_path is into an application configuration file (for instance, server-manager assumes /var/cache/nethserver-httpd-admin), so it can be different for each application.
Moreover, PHP does not set a default, because the path depends on the platform. Our platform is CentOS, and php-common sets the default to /var/lib/php/session, in php.ini.
I propose to set the default to the value chosen by upstream.
There are also a lot of other parameters that could be adjusted to reflect the upstream settings. For ns7 I’d like to be more upstream-compliant and revert the php.ini to the upstream version. Our template can be moved to an included file, like /etc/php.d/nethserver.ini. What do you think?
After working on NethServer 7 in the last weeks, I’m beginning to change my mind a bit.
I mean: we’re discovering that some needed changes are a bit intrusive, I’d like to seize the opportunity to accept bigger modifications if we agree that they will make our life easier in the future (i.e. going back to upstream packages, reduce the number of packages we maintain, do things as upstream, etc).
I’m compiling a list of things that need to be worked on, trying to identify some patterns. When I’ll be ready, I’ll ask a review.
looking for the php.ini, I can see that the ‘upload_tmp_dir => no value => no value’ is not set, so it can be imagined to set a ‘session.save_path’ and a ‘upload_tmp_dir’ per ibay. Like this a Web application won’t share some temporary folders with another…the risk of been hijacked by a corrupted application will be less important.
Is it the time to design a new one just for PHP webapps?
May it be useful to expose that concept on the “Shared Folder” page and ask the admin to specify the “purpose” of the Shared Folder at creation time?
File sharing and PHP web applications are two very different scenarios. Both require different filesystem permissions, and different Apache configurations. Probably web apps don’t need the ACL mess-up at all, but Samba shares do.
I think we should design new Shared folder profiles to serve different use cases. The one-fit-all configuration for shared folders is too hard to develop/maintain.
Moreover, as I said on the other thread, a new server manager page to configure virtual hosts could simplify the actual interface.
I mean I’m a bit lost, if you want a specific module for apache :
you will have duplicated code with the sharedfolder module
you will make hard for people to push or maintain their webapps (samba is an easy way to do it)
Honestly I don’t see the acl as something tricky for apache, you have now the possibility to restrict the apache permissions, obviously what it is asked now , is an option to give the full permissions to apache on shared folder.
I do believe that an Ibay is used, just for one purpose , with samba, the most of time there is no need to use httpd, but with this former, push files by samba is an easy way, of course when the server is on your local network.
After all you ask me to do a cultural revolution…I use Ibay for samba, ftp, http, nfs, since so long time
We must reach a fully functional release with the minimum number of changes to avoid unexpected bugs. We will have time for such improvements! 
