I have a simple question to which I couldn't find the answer on this page:
https://codeigniter.com/userguide3/libraries/sessions.html#how-do-sessions-work
That is why I ask it here.
But first, let's assume that session will expire in 600 seconds (10 minutes).
So, when the session cookie will actually expire?:
from the first time I open a Codeigniter website and use it for 10 minutes, or
10 minutes after I stop opening pages on that website
Another question if the answer is 1:
Can I somehow extend the session every time the user access the website?
Another question if the answer is 2:
what is happening with sess_time_to_update? Can I extend the life of session_id to match the life of the session too?
Assuming $config['sess_expiration'] = 600; (10 minutes), the session cookie will expire 10 minutes after the last time you accessed the page, or "answer 2" as you called it.
sess_time_to_update controls how long before the session ID is changed, but that has nothing to do with expiration and is entirely transparent to you and/or the user - the ID itself will be changed for security purposes, but all other attributes will be preserved.
The "life of session_id" and "life of the session" are one and the same thing; there will never be a mismatch between them. A file or database record of the expired session may remain for a bit on the server, until the garbage collector clears it up, but without an ID stored in the cookie you effectively have no active session.
Related
I am developing a simple php website named : http://www.dopanchat.com
In this site I used session to develop the login system, everything work fine but after some amount of time (for example, after 1 hour) the session expires automatically and user logged out from my site.
I don't know if it's server problem or anything else.
please help me to resolve this problem, you can check here : http://www.dopanchat.com
Extending your session timeout is an approach but I won't recommend to expand it too much :)
Instead your application could detect user activities and refresh the session expiry time accordingly.
After all it doesn't really matter what is the session's timeout at some point user will lose the authentication due to the expired session.
Basically the expiry count down always starts after user's last action and not from the moment s/he logged in to your system.
Try this :
// Time in secondes before the session expires
ini_set('session.gc_maxlifetime', 3600);
// Time in secondes before the ID's session in the cookie expires
session_set_cookie_params(3600);
// Start session
session_start();
If think this gonna work. Tell me if it work !
(Sorry for my bad english :D)
you can extend session expire time by adjusting php.ini file as follows
session.gc_maxlifetime=86400 //1 day
session.gc_divisor=5000
session.gc_probability=1
gc_divisor and gc_probability are responsible for cleaning expired session files, by above config session will valid for 1 day
I'm using a simple, custom session wrapper class to store user sessions in the database, but I'm confused with how to accomplish long-term saved sessions while having short term sessions as well.
I give the user the option to "Keep me logged in". If this is set then I want to keep their session saved for 6 months. If it's not set then I want to keep their session saved for 2 hours. I don't want this 6 month period to keep extending... even if they log in every day, after 6 months their persistent login will be cleared.
If I set session.cookie_lifetime and the garage collection variable session.gc_maxlifetime to something like 6 months or more, then the people with only the "2 hour session" will be leaving tons of unused sessions that won't get cleaned up by the garbage collection until 6 months or more. I'd rather keep session.gc_maxlifetime set to a more reasonable value.
I'm thinking what I should do is create a cookie (not the PHPSESSID cookie because I don't want garbage collection to clear it) that contains the last used session id, and set the expiration of that cookie to either 6 months or 2 hours, depending on if they checked "Keep me logged in" or not. If someone starts a new session and they have this cookie saved, it will try to match the cookie's session id to a saved session in the database. If the same session is found, it will change the session id to their new session id and update the database record, continuing their session. If it's not found it will create a new database entry.
Does this sound like a good way to accomplish what I want? Are there any security issues with this?
I've googled around about this and what I know so far is that the session is destroyed when the browser is closed and if the browser is just kept open, the session automatically expires after a fixed amount of time like 24 minutes.
But when does the counter for these 24 minutes start? When the server executes the session_start() line? This question might be a little long but please bear with me. Assume i have a php page with this code in it:
<?php
session_start();
?>
If a user open this page and just keeps it open for about an hour, will the session still expire although the page is still open? And if i add the session_start()code at the beginning of every page of my site, does the counter get reset to zero every time the user open a new page of the site?
Basically I want to make a login system that logs a user out when he closes the site or clicks the log out button and i want to keep him logged in as long as he has the site open, without him getting logged out automatically after 24 minutes or any other fixed time.
The timing starts when the session is first created. After the 24 minutes, it might or might not be erased by the garbage collector as it randomly kicks in(see session.gc_* directives).
What you want to do is regenerate the session every N minutes(session_regenerate_id()), so that it doesn't expire as long as the user is active.
I made a website with login features, but sometimes users are automatically logged out. I have other websites and have never experienced this issue before. My website is hosted. My session script is
if(#username and password is match#)
$_SESSION['front_end_user'] = $username;
The difference between this website and my other website is that in this website I use full jquery interaction. Could this effect the session? If not what is the problem?
I have checked all my pages and there are no session_destroy or unset statements.
The session usually expires after 24 minutes. By the way you can set this session timeout to last more, but I'd not suggest this. I'd use a cookie solution. (For this google "remember me tutorial" and you'll find out).
I think this is session time out. Your session is timing out after a certain amount of time and this is a normal behaviour of all applications.
PHP's default session time out value is 24 minutes. This mean that session will be timed out after the inactivity of 24 minutes.
Although you can increase session time out limit but note that should not be big amount.
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.