I think this is an example of an XY problem . I am trying to solve both the main problem and your solution.

Attempted solution (Y)

Change the permissions of your session files.

Think twice before changing the session file mode, beware of related security bugs. But since you asked, let's assume you know what you are doing.

You have three options:

• Chmod session files after creation

  session_start();
  $path = session_save_path() . '/sess_' . session_id();
  chmod($path, 0640);
  
        
  
          
          
          
        
  
      

  This is what you did in your answer . The serious problem is that you need to add a call chmod
  
  after any callsession_start()
  
  , even if it's done inside a PEAR module or any other third party code. This is a maintenance nightmare.

• Set the modesession.save_path
  
  
  Preferably to php.ini
  
  or .htaccess
  
  (via php_value session.save_path …
  
  ), but if you don't have access to any of them, you can use ini_set()
  
  directly from PHP, somewhere near the start of your script:

  ini_set('session.save_path', '0;640;' . session_save_path());
  
        
  
          
          
          
        
  
      

  Of these three, I would pick this one because it balances complexity and purity very well .

• Implement your own session storage
  You can execute sessions however you like. In your code, you can be sure that you are creating files with the correct permissions.
  Imagine a lot of code here. Namely the class that implements SessionHandlerInterface
  
  , and the call is set_session_save_handler
  
  somewhere near the start of your script.

Selecting mode 640 assumes that the session creation script and the CLI script are executed by users in the same group, and the CLI script only needs read access. If not, use 644 (everyone can read), 660 (group can read and write, others cannot do anything), or 666 (everyone can read and write). Follow the principle of least privilege . Note that umask processes can interfere with your efforts - you can change it first, e. through . umask(0022)

Actual problem (X)

Working with CLI script.

If you run the CLI script under the same user who owns the session files , there is no need to change their mode. Mode 600 keeps the contents of the session files safe.

If you need to execute the script from a different user account, you may need setuid or sudo , but remember to create the same security hole as when using over 600 mode.

When the CLI script really needs to be run as a different user from the creating session, trying to solve (changing the mode of the session files) might actually be correct. I know of a website whose scripts are edited by multiple users, all in one group. Each PHP script is run under its own ownership via suphp

. If one script creates a session file, scripts created (and therefore owned) by other users cannot use it. The required permissions for sessions are 660 and this is still a fairly secure setting. Keeping 600 mode and starting the server, and all scripts under a special artificial user are even better.

an earlier version of this answer compared solutions and detailed them up and down. It also discussed the selection of the appropriate mode. His verbosity made me feel like purging him and leaving only the most important items. However, you may still find it useful.