Ok, so here is the problem.
I have a website with a member login and a payment module. The member can buy stuff, but only when he's logged in (with sessions).
When the member wants to pay, he is redirected to another page of the payment provider (mollie). So for a brief amount of time, he leaves my website.
When the payment is done, he is automatically sent back to my website. And that's where the problem occurs: he is logged out.
How can I keep the sessions alive?
<?php
if(isset($_SESSION['member']) && $_SESSION['time']+300 > time()){
// logged in
}
?>
Anyone an idea?
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
When you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
i would also try something with using the session_set_cookie_parameters() to give the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.
i think the easiest way for you is that instead of just session_start we should input this on each page there is a session
$expire = 365*24*3600; // We choose a one year duration
ini_set('session.gc_maxlifetime', $expire);
session_start(); //We start the session
setcookie(session_name(),session_id(),time()+$expire);
//Set a session cookies to the one year duration
The problem is solved! It was an issue with 'www' and 'non-www'.
I added the following code:
session_set_cookie_params(0, '/', '.mydomain.com');
Related
So in this zend 1 application, when I go to start page, I can see that there is a cookie named PHPSESSID.
I then log in (a custom login) and the user can go through protected pages.
But if he is inactive for more than 30 minutes, when then requesting a protected page the application will redirect him to login page.
What I was focusin on was the PHPSESSID. Which initially was set to 30 minutes. I increased that by adding "28800" to what seems to be a global call to setcookie.
When I then reloaded the page, I could see that PHPSESSID would expire after 8 hours.
Despite this, the use is still being logged out after 30 minutes.
So changing cookie expiration didn't gave anything.
What's next? Changing the php session duration?
Current relevant values are:
session.cache_expire: 180
session.gc_divisor: 1000
session.entropy_length:32
session.gc_maxlifetime: 14400
session.gc_probability:1
session.name: PHPSESSID
Or is this related to the framework itself? Somewhere in Zend to adjust the expiration of the session?
If you are using zend then try this.
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());
$authns->setExpirationSeconds(60 * 30); //expire auth storage after 30 min
}
If you have multiple php site storing session files in the same dir - php gc processes may have different set for session. In this case store session files in another, only for you site, directory.
Could anyone tell how to maintain a session (in PHP) so that the session contains are preserved and are accessible even after the browser is restarted.
In general a session expires with the closing of a browser, but I want the session NOT TO BE CLOSED so that the session data's can be accessed the next time the browser is used.
Use session_set_cookie_parameters() to give the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.
It's oxymoron.
Session stands for "until browser is closed".
Session is something that expires.
If you don't want it to be expired, you're probably don't want a session at all.
You are probably messing session with cookie or database.
Session in php (and in most web technologies) work like this :
You store a session id in a cookie on the client computer.
When the client come to your site he send you the session id.
The server find the session datas in a file with the session id and load it.
So closing the browser has not effect on the session, but if the browser empty the cookie when you close it (I don't think any browser do such a thing).
If you wana be sure the user is always logged in, you can store it's user/password in his cookies but it's not really safe.
The easiest and best i have found is that instead of just session_start we should input this on each page there is a session
$expire = 365*24*3600; // We choose a one year duration
ini_set('session.gc_maxlifetime', $expire);
session_start(); //We start the session
setcookie(session_name(),session_id(),time()+$expire);
//Set a session cookies to the one year duration
You can do something like this: (see session_set_cookie_parameters() and session_name())
// long long time
$sessionTime = 365 * 24 * 60 * 60;
$sessionName = "my_session";
session_set_cookie_params($sessionTime);
session_name($sessionName);
session_start();
if (isset($_COOKIE[$sessionName])) {
setcookie($sessionName, $_COOKIE[$sessionName], time() + $sessionTime, "/");
}
For $sessionTime, also refer to this question
This can be done if you use cookies instead of sessions.
I am developing a simple php website named : http://www.dopanchat.com
In this site I used session to develop the login system, everything work fine but after some amount of time (for example, after 1 hour) the session expires automatically and user logged out from my site.
I don't know if it's server problem or anything else.
please help me to resolve this problem, you can check here : http://www.dopanchat.com
Extending your session timeout is an approach but I won't recommend to expand it too much :)
Instead your application could detect user activities and refresh the session expiry time accordingly.
After all it doesn't really matter what is the session's timeout at some point user will lose the authentication due to the expired session.
Basically the expiry count down always starts after user's last action and not from the moment s/he logged in to your system.
Try this :
// Time in secondes before the session expires
ini_set('session.gc_maxlifetime', 3600);
// Time in secondes before the ID's session in the cookie expires
session_set_cookie_params(3600);
// Start session
session_start();
If think this gonna work. Tell me if it work !
(Sorry for my bad english :D)
you can extend session expire time by adjusting php.ini file as follows
session.gc_maxlifetime=86400 //1 day
session.gc_divisor=5000
session.gc_probability=1
gc_divisor and gc_probability are responsible for cleaning expired session files, by above config session will valid for 1 day
I have set session timeout time for 20 Minutes as below.Sometime the session timeout is happening in two or three minutes.
ini_set('session.gc_maxlifetime', 1200);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
What could be the issue?
The 20 minute expiration does not reset when the user browses other pages. The problem is explained in this comment:
As PHP's Session Control does not handle session lifetimes correctly
when using session_set_cookie_params(), we need to do something in
order to change the session expiry time every time the user visits our
site. So, here's the problem.
$lifetime=600;
session_set_cookie_params($lifetime);
session_start();
This code doesn't change the lifetime of the session when the user
gets back at our site or refreshes the page. The session WILL expire
after $lifetime seconds, no matter how many times the user requests
the page. So we just overwrite the session cookie as follows:
$lifetime=600;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
And now we have the same session cookie with the lifetime set to the
proper value.
Better, leave the session.cookie_lifetime to 0 so that the cookie expires when the browser is closed. Otherwise, users who assume that closing the browser will end their session will be surprised when they re-open their browser before the 20 minute timeout.
Edit regarding gc_xxxx settings
gc_probability = 1, gc_divisor = 1, gc_maxlifetime = 1200
1/1 implies PHP will check the date of session files for every session_start call.
gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200
1/100 means PHP will check the date of session files randomly but approximately once per 100 session_start calls.
The date check itself consist of comparing session file's accessed time with gc_maxlifetime; it deletes the file if wasn't accessed in the past (e.g.) 20 minutes.
Having said that, if the cookie expires because of timeout (or closing of browser when timeout was 0) the session expires immediately since the browser stops sending the expired session id cookie; in which case PHP issues a new session id cookie. The session id file associated with the expired cookie becomes abandoned, does not get accessed anymore; therefore garbage collected anytime as described above.
Last, your specific issue can be resolved (i) by looking at the expiry date of session id cookie (ii) and remembering that cookies with timeout are not renewed when page is visited/refreshed.
I'm using 24 hour sessions at the moment to keep users logged in, if they browse to another page of the site after 30 minutes of the session starting then the session will be regenerated to extend the session expiration time to time() + 24 hours.
I am using php.ini to ensure only cookie sessions are used and altered their default save time to just over 24 hours:
session.gc_maxlifetime = 90000
session.cookie_lifetime = 90000
session.use_trans_sid = 0
session.use_only_cookies = 1
I use the following to being a session:
session_save_path("/home/user/sessions");
session_set_cookie_params("86400", "/");
session_name("auth");
session_start();
but at the moment my sessions seem to get lost within the first hour. The cookie auth is still there but it doesn't seem to link to the information that was stored when the session was made:
$_SESSION['userId'] = $row[0];
$_SESSION['created'] = time();
This leads me to think that the regeneration part is somehow incorrect?
To regenerate a cookie after 30 minutes I am using:
if($_SESSION['created'] + 30 * 60 < time())
{
session_regenerate_id();
$_SESSION['created'] = time();
}
Does the above code need to have some way to keep the session id after regeneration?
Like:
$sid = session_id();
session_regenerate_id();
session_id($sid);
session_start();
or is this not necessary? Are there any other reasons my sessions could be getting lost/mixed up?
Session lifetimes are (usually) dependable. But since you mention that they seem to be getting wiped out within an hour, it makes me think that the server is running a debian or debian derived OS.
On our server (running ubuntu 10.10), sessions get cleaned out every half-an-hour by the system through a cron job, whether or not the session is still valid. The only way around it is by creating your own session handler.
If the server is not debian based, then I'd have to say I don't know.
Interesting, when a session is created it stores a session file in the temporary folder on the server, if this file is deleted or removed then the session would be lost, could this be happening?
A work around for this would be to set a cookie valid for 24 hours with a unique pair of values that you can store against a user, that way when they return if the session has been destroyed they will still be logged in as the script would match the data from the cookies to the data held in the database.
What information are you storing in the session as this would also be lost.