I have a site where I use session authorization for my users
Details are:
PHP Version 7.2.8
session.gc_maxlifetime 604800
session.gc_probability 1
session.gc_divisor 1000
I use the following db.php file for creating a session
$dinamo_session = session_name("dinamo_session");
ini_set('session.cookie_domain', '.DOMAIN_NAME');
#if (isset($_REQUEST[session_name("dinamo_session")])) {
#ini_set('session.cookie_lifetime', 604800);
#ini_set('session.gc-maxlifetime', 604800);
#ini_set('session.save_path', '/var/www/user9357/data/_SESSIONS');
session_start();
#session_regenerate_id(true);
#session_write_close();
#}
My users do not complain from their end everything seems to be ok, the only thing is that I see a growing amount of session files with zero sizes (as well as I see normal session files with the real session's data)
You can see different lines of code are commented out. I tried to use all of them to avoid creation of these zero size files but that did not help (isset - to check if the session has been created before, session_regenerate_id(true) - to delete the old files) but no luck. I even had to comment out isset as some users complained that they were not able to log in. I also checked that: Opera and Firefox were ok, but Vivaldi browser was not able to login
Any ideas why these zero files are created and how can I stop it?
Related
I'm a bit stuck here. I've made a quick website for work to make it easier then filling in a google spreadsheet, however, I've got a little stuck on the sessions.
If you sit on a page for over fifteen minutes when you try to navigate to the next it logs you out and you have to log in again, potentially losing any edits on the previous page. I'm trying to increase that to two hours figuring no one's going to nip to the bathroom or grab a coffee for that long.
So I increased my session.gc_maxlifetime & session.cookie_lifetime in my php.ini to two hours:
session.gc_maxlifetime = 7200
session.cookie_lifetime = 7200
The way my host manages this is on a per site basis so has thrown a bunch of code into the .htaccess, user.ini and a php.ini in the root directory of my site.
However, my site keeps logging out after every fifteen minutes.
Each page starts with:
session_start([
'use_only_cookies' => 1,
'cookie_lifetime' => 0,
'cookie_secure' => 1,
'cookie_httponly' => 1
]);
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 7200)) {
session_unset();
session_destroy();
}
$_SESSION['LAST_ACTIVITY'] = time();
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 5200) {
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
Which I've taken from:
How do I expire a PHP session after 30 minutes?
https://guides.codepath.com/websecurity/PHP-Cookies-and-Sessions
However, adding this hasn't changed the behaviour from just having session_start(); but I've left it in as it seems it would be useful, if it worked. I've seen mention of using:
int_set('session.gc_maxlifetime',7200);
but when I throw that into my site it doesn't load, HTTP ERROR 500 in the browser and:
PHP Fatal error: Uncaught Error: Call to undefined function int_set() in /home/host/www.site.com/includes/session_log.php:2
in the log file (row 1 being <?php btw, from what I read it needed to go at the very start, so I moved the session_start([ stuff down a row for it).
The server is Apache 2.4.41 with PHP 7.3.11
I've looked at the cookie the site sets and nothing seems amiss there:
PHPSESSID
Name
PHPSESSID
Content
1d25972d16762a4af8c4d65ad42e1249
Domain
www.site.com
Path
/
Send for
Any kind of connection
Accessible to script
Yes
Created
Sunday, 5 January 2020 at 13:47:54
Expires
When the browsing session ends
Not being an actual programmer I'm at a bit of a loss here, usually I can google my way to an answer (usually found on Stack Overflow) but not managing it today as everything I've read, I've tried, and I still can't get passed the fifteen minute time out.
Just for clarity, it's fifteen minutes from the last page load, not sign in, so something is working to refresh the users session, just can't seem to increment that past fifteen minutes = \
I have a login page/system which has worked correctly for years, leaving the user logged in until he/she either closes the browser window or logs out manually. But lately (starting yesterday) after only a few minutes of inactivity the session cookie/s seems to expire, causing the user to be logged out automatically.
This happens on different browsers and different operating systems, the PHP version is 5.6.29, which has been changed recently (before it was 5.5 and even 5.3).
I create and refresh the session on every page with session_start(). The login script first checks user name and PW and also gets some other user data from the database. These other data are first saved in variables and then written into session variables like
$_SESSION['username'] = $name;
$_SESSION['usertype'] = $type;
The successful login state is saved like this:
$_SESSION['login'] = "ok";
On the other pages I check the login state like this:
session_start();
if(($_SESSION['login'] != "ok") OR ($_SESSION['usertype'] != "xxx")) {
header("Location: ../login.php"); /* redirects to login page if conditions are not true */
exit;
}
The login works, and logged-in users can proceed to other pages as long as the do it more or less in constant succession, but if someone waits a few minutes before proceding (i.e. without any acitivity), he/she is logged out (i.e. redirected to the login page when trying to open another page).
To make it extra-nasty, half of the time it just works as expected, also after half an hour...
Any help would be very much appreciated.
UPDATE:
Adding ini_set('session.gc_maxlifetime', 3600'); and `ini_set('session.cookie_lifetime', 3600); didn't help. I removed it again.
After that I had a look in the error logs and found this:
ap_pass_brigade failed with error 103: Software caused connection
abort
(problem is, I don't have access to the server settings - this is on a shared webspace...)
You can see the php configuration (php.ini) by phpinfo();
<?php
phpinfo();
Check the session.gc_maxlifetime values first then if you need to set it see the following ways.
You can set it with .htaccess file if you don't have permission for edit the php.ini file.
.htaccess
<IfModule mod_php5.c>
php_value session.cookie_lifetime 3600
php_value session.gc_maxlifetime 3600
</IfModule>
Even you can set it by ini_set();
<?php
ini_set('session.gc_maxlifetime', 3600);
For anyone who is interested: The session didn't actually expire, but the session variables disappeared (and reappeared again randomly).
This is discussed in a follow-up question I posted here:
php $_SESSION variables disappear and reappear randomly
You must have changed the session.name from default PHPSESSID to something else. Keep its default value session.name = PHPSESSID. Everything will be OK.
It's a PHP bug.
I have a site running on apache and using php. Sometimes I have users on the site doing work and then they suddenly lose their session. I start the session with
session_start()
and it puts a PHPSESSID cookie in the user's browser. I also have
session.cookie_lifetime=0
in my php.ini file. I also do a javascript long poll every 5 minutes to see if the session is still active.
Here is the php code that I use to see if the session is still active
public function actionPollLogin()
{
if (isset($_SESSION['user']['id']))
{
echo $this->renderAjaxJson(array("success"=>1));
} else {
echo $this->renderAjaxJson(array("success"=>0));
}
}
If success == 0 then I return the user to the public part of the site. But like I said, the weird thing is that the user can be actively using the site and then idle for 20 seconds and get logged out. And for testing, I dump the session to the screen that the users are returned to confirm the session is dead.
What settings to I need to tweak to allow active users to stay logged in.
Here are my current php.ini settings
session.hash_bits_pre_character=5
session.hash_function=0
session.cache_expire=180
session.cache_limiter=nocache
session.referer_check=
session.gc_maxlifetime=1440
session.gc_divisor=1000
session.gc_probability=1
session.serialize_handler=php
session.cookie_httponly=
session.cookie_domain=
session.cookie_path=/
session.cookie_lifetime=0
session.auto_start=0
session.name=PHPSESSID
session.use_only_cookies=1
session.use_cookies=1
session.use_strict_mode=0
Docs
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
So after 24 minutes your sessions expire server-side and are potentially cleaned up.
The solution for me was to add this line after my session_start();
$_SESSION['activity']=time();
This updated the last modified date of the session file everytime the user interacted with the site.
I'm using a java based uploading construct http://www.javaatwork.com/java-upload-applet/details.html that I tried running over night.
It basically stores everything on the server's hard drive (/var/www/private/$userId)
Makes sure that data is well-formed
Then passes it onto a permanent storage (Amazon S3).
After step 1 completes, I run the following code:
if($_SESSION['userId'])
{//Makes sure that data is well-formed}
else
{echo 'you are not logged in';}
I tried running this for four hours only to find you are not logged in printed to the screen.
Here are the appropriate directives in the cgi php.ini file (I'm using ubuntu 12.04 with apache2.)
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 14400 //this is 30 hours, which is far greater than the 4 hours it was running
session.cache_expire = 1800
session.cookie_lifetime = 0
Most of these directives are the default with exception to session.gc_probability and session.gc_maxlifetime.
I was trying to resolve this issue and came across a really helpful blog by Jeff from which I inferred that browsers can cause the PHPSESSID cookie stored in the browser to be deleted if a period of inactivity on the website from within the browser occurs. He suggests
"Create a background JavaScript process in the browser that sends regular heartbeats to the server. Regenerate a new cookie with timed expiration, say, every 5 or 10 minutes."
http://www.codinghorror.com/blog/2008/04/your-session-has-timed-out.html
So I decided to do just that.
function myTimeoutFunction()
{
$.ajax({
url: "heartbeat.php",
success: function() {
}
});
setTimeout(myTimeoutFunction, 15*60*1000);
}
myTimeoutFunction();
heartbeat.php
<?php session_start(); ?>
I'm about to test this for an upload that should take ~4 hours. However I just read the following
In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called)
https://stackoverflow.com/a/1516338/784637
If I had 3 session variables, $_SESSION['userId'] $_SESSION['firstName'] $_SESSION['lastName'], would I need to reset all their values in heartbeat.php
session_start();
$_SESSION['userId'] = $_SESSION['userId'];
$_SESSION['firstName'] = $_SESSION['firstName'];
$_SESSION['lastName'] = $_SESSION['lastName'];
Or could I just reset one value
session_start();
$_SESSION['lastHeartbeat'] = time();
so that the other three would not expire?
The PHP session is kept as a whole; any changes in $_SESSION will update the change time and, by extensions, preserve the entire session.
Concerning the actual issue: PHP shouldn't GC sessions until the max time is reached, but that doesn't mean PHP is always clearing it. By default, sessions are kept in the /tmp (or another) directory and some Linux distros will have cron jobs that may clean the folder out from time to tome. Check for crons or other things that may clear the sessions independent of PHP too.
I was working in a project where another developer wrote the code,while a user is login the session_start() as usual and then he is cheking like belows:
if($a['userName'] == $username && $a['password'] == $pwd)
{
$_SESSION['id'] = $a['id']; ?> <script language="javascript"type="text/javascript">window.location="host.php";</script> } else {
$msg= "Invalid Username Password";
}
And when a user want to use the form after couple of seconds its logout and user can not submit data.
I have tried increasing session life time duration:
$sessionCookieExpireTime=8*60*60;
session_set_cookie_params($sessionCookieExpireTime);
And also tried with increasing session lifetime in runtime like below:
ini_set('session.gc_maxlifetime', '3600');
And finally tried by increasing php.ini session lifetime .
Unfortunately those did not work.
One thing I should mention that,there is no session_destroy() for logout issues.
Thanks in advance.
What kind of server are you working on?
On a shared server that runs multiple sites that use a shared session directory the session.gc_maxlifetime is in effect the shortest lifetime of all sites accessing that shared directory.
If the problem is on a development server, find out where the session files are stored and look at what happens to them.
It is also possible that the directory where the sessions are stored is not writeable. In that case the session variable is never stored in the first place.
In all three cases: try to store the session files in a different directory. In code you have to set the session directory with session_save_path() before you call session_start().
The timeout occurs when user idle activity for certain time. There is no way to logout automatically unless using session_destroy.
It may be possible that your code
$a['id'];
returns null by chance.
Also, you need to checkout which page is getting logged out.
Giving the full code may be easy to identify the issue.