There is Symfony 4 app with PdoSessionHandler where session duration is supposed to be 10 hours eg 36000 seconds.
framework.yaml has: cookie_lifetime: 86400
php.ini has: session.gc_maxlifetime 36000
However sess_lifetime in sessions table is still 1440.
How to make sure that session lifetime would be 10 hours?
Turned out that framework.yaml had another parameter that was overwriting php.ini value.
Changing this value helped:
framework:
session:
gc_maxlifetime: 36000
See https://symfony.com/doc/current/reference/configuration/framework.html#gc-maxlifetime
Related
I have a symfony2 project with a page to write the report of a meeting. It means the user can stay on this page and type for 2 hours without loading any new page. So when the user sends the form, his session has expired and he is sent to the login page. And he loses everything he typed.
I've already seen this post "symfony2 session lifetime" so here is my config.yml :
framework:
session:
handler_id: ~
cookie_lifetime: 86400
gc_maxlifetime: 108000
So a 24 hours cookie lifetime and a 30 hour garbage collector... Still, I tried staying 1 hour on the page and I am disconnected...
Any idea where to look at ? Thanks !
So, it looks like changing symfony's config.yml doesn't work. But after modifying the gc_maxlifetime to 108000 in my php.ini it works, I am not disconnected after some idle time.
I guess this might be linked to the handler_id: ~ (which is default), but I don't really know why... Anyway, works this way :)
Try these settings:
framework:
session:
cookie_lifetime: 60 #60 seconds
gc_maxlifetime: 50 #50 seconds - only needed for testing. Dont use this in a production environment
gc_probability: 1 #only needed for testing. Dont use this in a production environment
gc_divisor: 1 #only needed for testing. Dont use this in a production environment
You can see them over here: https://codedump.io/share/9eVPS5otSIuk
How to change the default session lifetime in Silex.
The default value is 30mn;
The doc http://silex.sensiolabs.org/doc/providers/session.html#usage is giving a clue but doesn't show an example how to do it.
When I set a session like this:
$app['session']->set('username', 'my username');
The session variable is set but it expires in 30mn.
Silex uses the Symfony Components. You can set the expiration using the migrate method for a certain session.
E.g.: $app['session']->migrate(false, 3600);
Docs
To set the expiration for all sessions:
$app['session.storage.options'] = [
'cookie_lifetime' => 3600
];
Source
Don't forget that you must have some coherence between lifetime settings in Silex and lifetime settings in your php.ini.
By default, PHP lifetime sessions are set to 1440 seconds. If you don't change this default value, the session garbage mecanism (run by /etc/cron.d/php5) will remove "old" sessions (i.e. sessions with 1440 seconds of inactivity).
Here is the explaination of /etc/cron.d/php5 :
# This purges session files in session.save_path older than X,
# where X is defined in seconds as the largest value of
# session.gc_maxlifetime from all your SAPI php.ini files
# or 24 minutes if not defined. The script triggers only
# when session.save_handler=files.
#
# WARNING: The scripts tries hard to honour all relevant
# session PHP options, but if you do something unusual
# you have to disable this script and take care of your
# sessions yourself.
I have added the following lines in my htaccess file :
php_value session.cookie_lifetime 14400
php_value session.gc_maxlifetime 14400
Also have added a php.ini file in the root directory with the following code :
session.gc_maxlifetime = 14400
session.cookie_lifetime = 14400
Also inside the php code have added the following lines :
ini_set('session.cookie_lifetime',14400);
ini_set('session.gc_maxlifetime',14400);
setcookie("_lid", $lid, time() + 14400);
So basically the session should work for 4 hours. But it is getting timed out in about 24 mins or so which is the default timeout time in php.
I may be missing something. Would be great if someone can provide some inputs.
Thanks
I was having the exact same problem - the session.gc_maxlifetime & session.cookie_lifetime values were set but appeared to not be honoured... Then, I found a comment on an old thread which clearly needs a lot more recognition:
How do I expire a PHP session after 30 minutes?
Please note that at least two settings are crucial to setting the
session time, and maybe three. The two certainly crucial ones are
session.gc_maxlifetime and session.cookie_lifetime (where 0 is not the
same as some long number). For complete, 100% certainty of allowing
long times, it may also be necessary to set the session.save_path, due
to varying OS-controled cleanup time on the /tmp directory where
session files get stored by default. – #Kzqai Apr 7 '11 at 8:04
Last night I logged in and the following morning I was still logged in, even if I quit my browser. I want the session to expire after a few hours and I thought that it would work with "session.gc_maxlifetime" set to "1440" and "session.cache_expire" set to "180"
Here is what I could find from PHP.ini
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx
session.auto_start Off
session.bug_compat_42 Off
session.bug_compat_warn Off
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_httponly Off
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure Off
session.entropy_file no value
session.entropy_length 0
session.gc_divisor 1000
session.gc_maxlifetime 1440
session.gc_probability 0
session.hash_bits_per_character 5
session.hash_function 0
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /var/lib/php5
session.serialize_handler php
session.use_cookies On
session.use_only_cookies On
session.use_trans_sid 0
On our old server we used the same settings and the sessions worked.
The only difference from the old one is the "session.save_handler" that is set to "memcache" on the old server. Also "session.save_path" is different.
Relying on other things and hope them to work is not my thing. :D I think that the best solution would be to implement a session timeout on your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Updating the session data with every request does also change the session file’s modification date so that the session is not removed by the garbage collector prematurely.
~Foorack
It may help to change gc_probablity to something other than 0.
From the manual for gc_divisor:
session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.
If I'm reading from this right, with gc_probability being 0, the garbage collector is never run, rendering gc_maxlifetime useless.
GC is an expensive process for file-based sessions, so it's not a good idea to run it on every request, [edit: so PHP has a built in randomization to run it periodically]
Addendum:
For anything with real security implications, it's likely better to handle invalidating the session in your script, as Max's answer suggests. Also session.cache_expire sets the default expiration for session pages that are sent to the browser, and doesn't affect session storage at all.
Given you've reset gc_maxlifetime, a couple of things i can think of left to check when this happens:
PHP needs a restart
session is recreated/regenerated somewhere
I already altered my php.ini in Apache to have these settings:
session.gc_maxlifetime = 1440
session.cache_expire = 1500
But my sessions are not that long. The problem is that I am not certain which settings would "do the trick"
Ideally I am looking for the right configuration to have the session last 12 hours. Could anyone help me with that?
do you also have set session.cookie_lifetime = 0 ?
and maybe somewhere in your scripts or some included scripts the session lifetime is set to another value?
The default "0" value means that the cookie stays alive until the browser is closed. This is also the default value, if not set in php.ini.
Source: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
session.gc_maxlifetime is measured in seconds, so your setting of 1440 will expire after 24 minutes. (see: http://php.net/session.gc-maxlifetime)
For 12 hour session I believe you need:
session.gc_maxlifetime = 43200
session.cache_expire = 720
session.cookie_lifetime = 0
Have a look at:
session.cookie_lifetime x
Where x is the lifetime in seconds
Also, if you are on a shared host, make sure the session data under /tmp is not removed by the host with some sort of clean script. Some hosts clear /tmp every 10 minutes.