LSPHP is killing sessions

[mkaaaay]

We've had issues of php session being killed really quickly and some auditing has shown that lsphp is doing this. See logs below.
how can we stop this please?

It's definitely the lsphp binary removing the session files.

19 minutes ago by SYSADMIN

TD
type=CONFIG_CHANGE msg=audit(1600914747.515:19246675): auid=0 ses=2672388 op=add_rule key="SESSIONREMOVETEST" list=4 res=1

type=SYSCALL msg=audit(1600914808.883:19246746): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc0cefff10 a1=20042 a2=180 a3=0 items=2 ppid=8933 pid=13128 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600914812.269:19246747): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc0cefff10 a1=20042 a2=180 a3=0 items=2 ppid=8933 pid=13173 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600914812.270:19246748): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc0cefff10 a1=20042 a2=180 a3=0 items=2 ppid=8933 pid=13174 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600914812.272:19246749): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc0cefff10 a1=20042 a2=180 a3=0 items=2 ppid=8933 pid=13175 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600914814.183:19246750): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc0cefff10 a1=20042 a2=180 a3=0 items=2 ppid=8933 pid=13208 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915165.420:19247360): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19131 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915168.997:19247361): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19187 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915169.189:19247362): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19189 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915169.195:19247363): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19190 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915171.305:19247364): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19207 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915176.202:19247365): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19274 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915180.839:19247366): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19339 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915185.610:19247367): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe6ab5f670 a1=20042 a2=180 a3=0 items=2 ppid=19129 pid=19373 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915404.925:19247821): arch=c000003e syscall=2 success=yes exit=4 a0=7ffd182b37e0 a1=20042 a2=180 a3=0 items=2 ppid=23450 pid=23452 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915408.474:19247822): arch=c000003e syscall=2 success=yes exit=4 a0=7ffd182b37e0 a1=20042 a2=180 a3=0 items=2 ppid=23450 pid=23503 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915408.474:19247823): arch=c000003e syscall=2 success=yes exit=4 a0=7ffd182b37e0 a1=20042 a2=180 a3=0 items=2 ppid=23450 pid=23504 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915408.477:19247824): arch=c000003e syscall=2 success=yes exit=4 a0=7ffd182b37e0 a1=20042 a2=180 a3=0 items=2 ppid=23450 pid=23505 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915975.584:19248816): arch=c000003e syscall=2 success=yes exit=4 a0=7ffea704ca40 a1=20042 a2=180 a3=0 items=2 ppid=515 pid=990 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600915975.998:19248817): arch=c000003e syscall=2 success=yes exit=4 a0=7ffea704ca40 a1=20042 a2=180 a3=0 items=2 ppid=515 pid=995 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600916878.902:19250367): arch=c000003e syscall=2 success=yes exit=4 a0=7fffb6646720 a1=20042 a2=180 a3=0 items=2 ppid=15907 pid=15909 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

type=SYSCALL msg=audit(1600916879.316:19250368): arch=c000003e syscall=2 success=yes exit=4 a0=7fffb6646720 a1=20042 a2=180 a3=0 items=2 ppid=15907 pid=15913 auid=4294967295 uid=1115 gid=1119 euid=1115 suid=1115 fsuid=1115 egid=1119 sgid=1119 fsgid=1119 tty=(none) ses=4294967295 comm="lsphp" exe="/opt/cpanel/ea-php73/root/usr/bin/lsphp" key="SESSIONREMOVETEST"

 

[NiteWave]

please create a php info page under document root

<?php
system("id");
phpinfo();
?>

and paste the output here

 

[serpent_driver]

please create a php info page under document root

<?php
system("id");
phpinfo();
?>

and paste the output here

It seems already to be solved:
https://www.litespeedtech.com/suppo...ition-not-avail-for-php7-3.19074/#post-112898

 

[mkaaaay]

issue remains. We keep getting booted out of session.
Output attached as file.

 

[serpent_driver]

Have you already tried it without Cloudflare cache if the domain in phpinfo is the affected domain?

 

[mkaaaay]

that's an interesting point. The issue is in admin, but it's worth excluding the dir to be sure.

Further examination shows the actual session remains intact after getting booted out of admin. It's like a session_var is being lost. PHP Session_ID remains though

 

[NiteWave]

can you submit a ticket ? the steps to reproduce the issue.

it may relate to cloudlinux/cagefs magic

 

[mkaaaay]

I believe Serpent Driver has nailed it... it looks like cloudflare was causing all of this. We switched the proxy off and it SEEMS to be resolved. Thank you @serpent_driver

If it persists @NiteWave I'll lodge a ticket. Thanks

 

[serpent_driver]

Thank you @serpent_driver

Strike

You could have solved it yourself. It is only a question of logic, isn't it?

 

[mkaaaay]

I was looking at it from all angles, but the thing is, I didn't set CF up and so it wasn't in my mind. Eventually I would have got there though, yes. Thanks.

 

[NiteWave]

not sure if you switch to apache + cloudflare, will the issue exist or not

 

[serpent_driver]

I was looking at it from all angles, but the thing is, I didn't set CF up and so it wasn't in my mind. Eventually I would have got there though, yes. Thanks.

My advice for the future, if issues happens again always set cache to the highest priority that could cause an issue.