I'm trying to increase my session variable time but they always end up expiring in the default time.
In the image you can see that session.gc_maxlifetime changes in the local value but does not change in master value.
What should I do so that session.gc_maxlifetime lasts longer so that session variables are not precosily deleted?
Try also changing session.cookie_lifetime duration
Related
gc_maxlifetime is already set to 24 minutes, but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours). The app is expired based on gc_maxlifetime not sess_expiration. Why is that? How can the sess_expiration work if it is longer than gc_maxlifetime?
Reading from here: why ini_set('session.gc_maxlifetime',60) doesn't work? and here: https://www.dev-metal.com/how-the-php-session-garbage-collector-really-works/
Because garbage collector starts (if starts) before session
I think that the gc_maxlifetime fires before your CI session handler and for this it 'wins'.
For not being forced to modify your php.ini file, you could try to set it before each session_start:
ini_set("session.cookie_lifetime","7200");
ini_set("session.gc_maxlifetime","7200");
session_start();
Or in your .htaccess file:
php_value session.gc_maxlifetime 7200
php_value session.cookie_lifetime 7200
You could read more here: Codeigniter increase session time out not working
Hope it helps!
Not really as simple as you've put it ...
It is true that gc_maxlifetime is what determines if a session should be deleted or not, because that's effectively the "server-side timer" that counts towards the deletion of a session - there's one on the client side as well, because that's where cookies are stored.
However, CodeIgniter will set gc_maxlifetime to the same value that you put in sess_expiration, unless it is 0 (in which case it uses your php.ini value).
But something else in your question may be important:
but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours)
If you are using the same sess_save_path, sess_cookie_name, sess_match_ip on the same server, but for multiple applications ... then the application with the lowest sess_expiration value will at some point delete sessions that you intended to be still valid for others.
TL;DR: Don't use the same session "space" for separate applications.
I want to retrieve the value of session.gc_maxlifetime from the PHP server settings ( the time after which the session expires after no activity ).
Very important : I do not want to change it, I only wish to retrieve its value ( maybe the value is different from server to server ) and I want to use a PHP script that I made to warn users properly, depending on the settings of those server.
Thank you.
That's where ini_get function comes in hand:
$maxlifetime = ini_get("session.gc_maxlifetime");
From manual we read:
session.gc_maxlifetime integer
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).
session.gc_maxlifetime is not the time after which the session expires after no activity. gc here may be mean garbage collenction.
As the php manual says,
session.gc_maxlifetime specifies the number of seconds after which
data will be seen as 'garbage' and potentially cleaned up. Garbage
collection may occur during session start (depending on
session.gc_probability and session.gc_divisor).
Note: If different scripts have different values of
session.gc_maxlifetime but share the same place for storing the
session data then the script with the minimum value will be cleaning
the data. In this case, use this directive together with
session.save_path.
For more refer to this post.
I already made these adjustments in my php.in file and then stopped/started the server:
; 24 hour session cookie
session.cookie_lifetime = 86400
; Prevent server from cleaning up session
; Some value higher than the cookie lifetime
session.gc_maxlifetime = 200000
But that seemed to do nothing and my users are still complaining that they get logged out after about 30 minutes. And I am also getting logged out often.
What else could I look into or do in order to make my users who are logged in not to be logged out and keep them logged in at least 24 hours or more.
Thanks!
Whilst you can increase the session time out using code similar to the below: (in .htaccess, if you are on apache)
php_value session.gc_maxlifetime 86400
php_value session.gc_probability 1
php_value session.gc_divisor 100
The problem is that your sessions folder can become cluttered with inactive session files. Our sites use a half hour time out, but we have a an AJAX poller as part of the management interface which keeps the session alive once every 15 minutes. That way we only keep the session open for active users (even if they are perfoming long term operations)
Alternatively you may consider storing a separate - longer term - cookie which can be used to quickly re-establish the users session should it expire, again this prevents the need to fill your server with cumbersome session files.
What is the actual difference between session.gc_maxlifetime and session_cache_expire() ?
Suppose I want the users session to be invalid after 15 minutes of non-activity (and not 15 after it was first opened). Which one of these will help me there?
I also know I can do session_set_cookie_params() which can set the user's cookie to expire in some amount of time. However, the cookie expiring and the actual session expiring on the server side are not the same; does this also delete the session when the cookie has expired?
Another solution I have though of is simple
$_SESSION['last_time'] = time()
on every request, and comparing the session to the current time, deleting the session based on that. I was hoping there was a more "built-in" mechanism for handling this though.
Thanks.
I spent some time looking for a good answer to how the php.ini server settings make
sessions expire. I found a lot of info but it took a while to figure out why
the settings work the way they do. If you're like me, this might be helpful to you:
Sessions are stored as cookies (files on the client's pc) or server side as files
on the server. Both methods have advantages and disadvantages.
For the sessions stored on the server, three variables are used.
session.gc_probability
session.gc_divisor
session.gc_maxlifetime
(session.gc_probability/session.gc_divisor) produces the probability that the
garbage collection routine will run. When the garbage collector runs, it
checks for session files that haven't been accessed for at least session.gc_maxlifetime
and deletes them.
This is all explained pretty well in forum posts (this one especially!) - But the
following questions do come up:
1.) How is that probability applied? When does the server roll the dice?
A: The server rolls the dice every time session_start() is called during
any active session on the server. So this means you should see the garbage
collector run roughly once for every 100 times that session_start() is called
if you have the default of session.gc_probability = 1 and session.gc_divisor = 100
2.) What happens on low volume servers?
A: When session_start() is called it FIRST refreshes the session and makes the
session values available to you. This updates the time on your session file on the
server. It THEN rolls the dice and if it wins (1 out of 100 chance) it calls the garbage collector. The garbage collector then checks all session id files and sees if there are
any that are eligible for deletion.
So this means that if you are the only person on the server, your session will
never go inactive and it will appear as though changing the settings have no
effect. Let's say you change session.gc_maxlifetime to 10 and session.gc_probability
to 100. This means there is a 100% chance the garbage collector will run and it
will clear out any session files that haven't been accessed in the last 10 seconds.
If you're the only one on the server, your session will not be deleted. You need
at least 1 other active session running for yours to go inactive.
So basically, on a low volume server or at a low volume time - it could be MUCH
longer than session.gc_maxlifetime before the garbage collector actually runs and
the sessions are actually deleted. And without knowing how this works, it may
appear completely random to you.
3.) Why do they use the probability?
A: Performance. On a higher volume server you don't want the garbage collector
running on every request of session_start(). It will slow down the server
needlessly. So depending on your server volume, you may want to increase
or decrease the probability that the garbage collector runs.
I hope that this ties things together for you. If you're like me and you tried
session.gc_maxlifetime and it didn't seem to work (because you tried it
out on a development server so as not to disturb anyone), then this post
hopefully saved you some head scratching.
Good luck!
Each time session_start is called the session files timestamp (if it exists) gets updated, which is used to calculated if session.gc_maxlifetime has been exceeded.
More importantly you can't depend on a session to expire after session.gc_maxlifetime time has been exceeded.
PHP runs garbage collection on expired sessions after the current session is loaded and by using session.gc_probability and session.gc_divisor it calculates the probability that garbage collection will run. By default its a 1% probability.
If you have a low number of visitors there is a probability that an inactive user could access a session that should have expired and been deleted. If this is important to you will need to store a timestamp in the session and calculate how log a user has been inactive.
This example replaces session_start and enforces a timeout:
function my_session_start($timeout = 1440) {
ini_set('session.gc_maxlifetime', $timeout);
session_start();
if (isset($_SESSION['timeout_idle']) && $_SESSION['timeout_idle'] < time()) {
session_destroy();
session_start();
session_regenerate_id();
$_SESSION = array();
}
$_SESSION['timeout_idle'] = time() + $timeout;
}
session.gc_maxlifetime is based off of the last time a session file was modified. So every time a session file is modified or a session_start() is called in a separate page, the countdown to gc_maxlifetime begins anew and the user stays "logged in". This is the value you are looking for. You can modify this through ini_set() in your php files, or edit php.ini if you have access to it
session_cache_expire() only controls the HTTP "Expires" header. This header controls how long the downloaded page contents stay in the user's browser cache.
To check the current values, this code will be helpful:
$gc_maxlifetime = ini_get('session.gc_maxlifetime');
$gc_probability = ini_get('session.gc_probability');
$gc_divisor = ini_get('session.gc_divisor');
Anybody can help on how to increase session expiry in php through htaccess?
So far I got this:
php_value session.cookie_lifetime 14400
php_value session.gc_maxlifetime 14400
php_value session.gc_probability 1
php_value session.gc_divisor 1
If I'm not mistaken, the life time of the cookie will be of 4 hours. What I'm trying to do is to increase the idle time of the session only, not the session cookie. Right now, after 4 hours I get kick out from my app. Can someone help me on how to o this?
Thanks
The lifetime of the session is bound to cookie_lifetime and gc_maxlifetime, which are respectively the lifetime of the cookie and the lifetime of data into your session. That being said, a session can't survive without a cookie so cookie_lifetime as to be greater or equal to gc_maxlifetime; otherwise, no garbage collection of your data will be done and cookie will expire before any data can possibly expire.