PHP, originally Personal Home Page, is an incredibly powerful and easy to use scripting language. Ideal for server-side database applications, it has started to eclipse Java as the defacto standard for web application development.

Debugging Tips

Check /var/log/httpd/error_log  Indeed even static HTML pages with quiet errors may have messages here that can be helpful.

File Uploading

PHP file uploading is typically set to a low value. Adjust /etc/php.ini to suit your needs ...

# cd /etc

# diff php.ini

  728c728
  < post_max_size = 2M
  ---
  > post_max_size = 1G
  879c879
  < upload_max_filesize = 10M
  ---
  > upload_max_filesize = 1G

#  service httpd restart

Sessions / Cookies [ edit ]

Sessions (i.e. Session ID's) and Cookies are tied to a specific browser on a specific computer.  A session always evaporates when a web browser quits/restarts.  Sessions are stored on server, and browsers are not able to directly detect if server side session are being used.  Cookies are stored with browser, but are triggered by response from server to create them.  A cookie evaporates when a browser quits if the cookie omits setting an expiration date or the browser is configured to ignore cookies.  Typically cookies are used for sites that require usernames and passwords, but remember them and skip asking on subsequent visits from the same web browser.  Other uses are minor preference settings for how a site should present itself (time zone, geographic, shopping carts, ...).  If a password needs to be part of a cookie, best to ensure only https pages are allowed to interact with password cookie.

Cookies eventually expire. So cookies really only provide convenience for short term use (e.g. a few months).  Eventually a cookie will expire and the user will have to provide their information again.  Therefore, cookies are a way to make a site more convenient for frequent users, but any critical information that must persist over time must be stored in a server side database to ensure it doesn't suddenly vanish one day.

Client side javascript has limited access to cookies and session information.  Instead a web browser will parse cookie ID's included in response from server, and will include then in headers to any subsequence requests to the same server.  This means the client side is aware of cookie ID's, but not the actual variable names and values that the server is associating with the particularing client.  Web developers can use this server side privledge to reduce the amount state to dynamically update between client and server without risk of the client (typically the most insecure portion of a web application) maliciously interferring.

File Upload Permissions
rickatech 2020-09

If a web application is to be uploading files, and those files need to be writable by a user other than the web server, it may be necessary to make adjustments to allow uploaded files to be group writable.

Configuring file folders to have SGID bit set under Linux enables new files that are uploaded to share a common group, but making them group writable must still be done by the service creating the file.

For PHP until recently this was done by modifying Apache service settings.  However as of PHP7, the php-fpm service may instead be performing uploads.  Typically this can be accomplished by adding umask.conf file then restart services.

# /etc/systemd/system/php-fpm.service.d/umask.conf

  [Service]
  UMask=0002

# systemctl daemon-reload

  [ this is needed to enable new file mask behavior ]

# systemctl restart php-fpm