Made summary not be one word.

Same problem exists if you are in a chroot environment. Consider the example provided by the original author and add chroot to the project directories.

ie:

/home/project1/
/home/project2/

Now each site's index.php is actually:

/web/index.php   (project1)
/web/index.php   (project2)


Somehow this also causes a collision in the cache and causes PHP to serve the wrong index.php from cache if you hit project1 first followed by project2 next.

its a common problem and also a deal-breaker when using chrooted enviroments like the php-fpm setup, you can find many complains on the net:
https://www.google.com/search?q=php-fpm+chroot+opcache.so

by using a config file from a wrong neighbor project, this bug can even break things.
this is not happening with APC or xcache, so these work around the problem somehow.

php version is 5.5.16 for me

This is also a big security issue for two reasons:
1. it allows to read files from other chroots (containing secrets)
if you know another chroot vhost (project1) is running a wordpress installation, you can create a file with a path existing on project1 like /web/wp-config.php in project2, include it from project2 and then echo DB_PASSWORD, DB_HOST and so on. you can read the secrets from project1.

2. i have not tried it, but i think it allows to override files on other chroots and inject arbitrary code.
you can create a /web/index.php containing a php backdoor. if the opcache for that file gets cleared (server restart, garbage collection) and your file is the first loaded into cache again, you have your code executed in other chroots.

a user running chroots without overlapping files will not notice this problem, bringing this vulnerability into production enviroments.

It would be great to be able to specify a prefix for the opcache key. This would easily allow to separate the caches for different pools.

It turns out this is not a bug, it is the behaviour that is expected when opcache.use_cwd is set to zero.

With it set to zero OPCache does not include the current path in the name used for the cached script, and so OPcache cannot tell two scripts with the same name in different directories apart.

The setting opcache.use_cwd should always be enabled unless PHP is going to be running a single application with known unique file names.

It also happens when using a chroot and several identical applications in different pools. As the applications are identical the paths obviously are as well. This really should be fixed, e.g. by prefixing the cache name with the pool name.

yes, chroots are really THE problem and it renders the opcache completely unusable in multi-domain hosting enviroments. 
More importantly, this can cause security, privacy and !data-integrity! issues if users do not recognize quickly that it is broken.
I actually had the issue that webshops hosted at my server were displaying products from completely different domains, because the config files had the same path and the same config is executed for all domains. I had a hard time explaining that to my customers.

Finally i did fall back to xcache, it works with chroot so i think it should also work with the official opcache too. This is a serious issue, please reopen this bug.

@public+php dot net at bastelstu dot be +  @spam at rw23 dot de

Those are different cases from the issue that I originally reported. Please open a separate feature request.

@Danack at basereality dot com

Why do you say its different issue? Chrooting is impossible with webcache due to faulty opcache file handling. Could you reopen this bug please, and not call it a feature please? :)

op cache is really unusable with identical applications (same or similar directory structure) on same hosting. 

We need more specify cache for one file, eg. absolute filepath? Or if this is how opcache was designed then disable this feature by default.

We can confirm that. Because of this bug opcache is unusable in chroot.

Related to/Duplicate?: https://bugs.php.net/bug.php?id=69090

yes, its duplicate.

this is a big issue with fatal consequences, and it is still just ignored :(

Problem also exists in PHP 7. Opcache is useless in a chrooted production environment.

It's appalling how this problem is ignored ...

I've posted a proposed patch for the cross-user cache access vulnerability to https://bugs.php.net/bug.php?id=69090 . It doesn't solve the problem in all chroot cases, but it will solve it if the chroot environments run PHP scripts as different system users. My fix might not be perfect, but after 2 years of inaction on this bug I think it's better than nothing.

Confirmed to still be a problem in PHP7. Cant understand why nobody cares about it, this is a real bug that causes data corrution, confusion and security problems!

My Workaround (PHP5/PHP7) is this:
i have htdocs directory inside my chroot.
rename this to htdocs.someuniqueid and created a symlink from htdocs to htdocs.someuniqueid. restart php-fpm.
the opcache will use the realpath (the path after resolution of all symlinks) and therefore the path with the unique id. by using the symlink, other configurations can stay unchanged.

My workaround in php5 was to uninstall opcache and use xcache, but as xcache is not available anymore with php7.