Configuring Session Handler path for open_basedir

I am deploying 9.1.3 on a new server that is out of my partially out of my control. The hosting provider has open_basedir configured and for the most part there are no problems with any of the other tools I’ve deployed onto their servers. Uniquely Concrete5 seems to be unhappy even when I switch the Session Handler to be “Database” with the open_basedir. The operator says that any tool that is configured to use a customer session handler should also provide mechanisms to specify the path. But I can’t seem to find an option to do that in the web based installation. Is there a way around this issue? This is the error that I am getting:

is_dir(): open_basedir restriction in effect. File(/home/system/var/lib/php/sessions) is not within the allowed path(s): (/tmp:/var/tmp:/usr/bin:/home/Gorf).

#0 [internal function]: Whoops\Run->handleError(2, 'is_dir(): open_...', '/home/Gorf/swee...', 50) #1 /home/Gorf/[snipped for privacy]/dev/html/concrete/src/Session/Storage/Handler/NativeFileSessionHandler.php(50): is_dir('/home/system/va...') #2 [internal function]:
Concrete\Core\Session\Storage\Handler\NativeFileSessionHandler->__construct('/home/system/va...') #3

Anyone have any feedback here?

Hi @Gorf - sorry haven’t run into this in my travels - strange to have restrictions on something like that by your hosting provider.

open_basedir is an extremely common security control in a multi-user hosting environment to prevent malicious code from one customer doing lateral reconnaissance of other customers or the hosted operating system itself.

Here are a couple links that might be helpful:

And more recent comments on this Github issue:

Otherwise might be something worth opening a new issue about