CakePHP 3 debug session timeout - php

We moved our application to a new server and now the session is expiring too soon (not sure about exact hours) for the logged in users. We tried many things to find out why the session is expiring in a production environment but until now we are unsuccessful. We want to put the expiration for 20 days.
Stuff we tried:
This is the current configuration:
'Session' => [
'defaults' => 'php',
'cookie' => 'MYAPPHO',
'timeout'=> 80320, // in min
'ini' => [
'session.gc_maxlifetime' => 1728000, // in sec
'session.cookie_lifetime' => 1728000
]
]
We also tried to set the
'defaults' => 'cache'
and to set the values in .htaccess
php_value session.cookie_lifetime 1728000
php_value session.gc_maxlifetime 1728000
php_value session.cache_expire 1728000
but the behavior is the same.
We also made some debugging in the Network\Session::_timedOut() but is ok, is never expiring for that reason.
Is there any way to debug more and find out what is causing the session to expire?

Hackers would be delighted to have sessions never expire, because then any stolen session ID would become a permanent key to unlock your web application.
More details on why what you've tried with session.gc_maxlifetime and session.cookie_lifetime didn't work can be found here.
Anyways, you can do it by setting the value of session.gc_probability to 0 before starting the session.

Just try to restart your application server. Some times server cache behaves weirdly.Hope this will resolve your issue.

Related

Laravel 5 Session Lifetime

According to Laravel config/session.php
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 120,
'expire_on_close' => true,
'expired-session-redirect' => url(env('APP_URL'))
I have set the lifetime of my session to 120 minutes, but I have a feeling that my user is log-out way before 120 minutes.
Is that a typo ? Do they mean 120 seconds which is 2 mins ?
Can anyone please shed some lights on this ?
Check your php.ini for:
session.gc_maxlifetime - Default 1440 secs - 24 mins
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).
session.cookie_lifetime - Default 0
>session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().
In case it is less time than the Laravel configuration, the cookie will be removed because the local php.ini have preference over Laravel configuration.
You can just increase it or comment/delete.
In case is not solved something on your App is destroying the session.
UPDATE
After release v5.5.22 session lifetime is loaded from .env and is not hardcoded anymore at config/session.php, changes there.
Now you can modify the session lifetime using:
SESSION_LIFETIME=90 //minutes
In your .env file.
Change .env file in your app root
SESSION_LIFETIME=120
And value is in minutes.
I found lifetime settings on this place in one project...
bootstrap/cache/config.php
so I need to run first
php artisan config:clear
Please modify true to false for Expire on close as:
'expire_on_close' => false,

Session timeout difference in local and production servers (CakePHP 2x)

I setup my session timeout in CakePHP to be very long due to a business need, I configured it on core.php like this:
Configure::write('Session', array(
'defaults' => 'php',
'timeout' => 4320, //minutes
'cookieTimeout' => 1440, // The session cookie will live for at most 24 hours, this does not effect session timeouts
'checkAgent' => false,
'autoRegenerate' => true, // causes the session expiration time to reset on each page load
'ini' => array(
'session.gc_maxlifetime' => 259200 // 3 day seconds
)
));
I make some tests on local server and in production server and I see some differences:
Local development environment (PC)
1 hour: successfull (session not closed)
2 hour: successfull (session not closed)
4 hour: succesfull (session not closed)
Production server
1 hour: successfull (session not closed)
2 hour: Not successfull (session closed)
I need to be able to have big timeouts (4 hours minimum) on the production server, why I have this differences between the local PC and the server?
This is because your web host has different PHP configuration. You can check using phpinfo() about the Session expire time.
You can set it using PHP ini

Yii 1 CDbHttpSession timeout ignored

Both CDbHttpSession and CHttpSession seem to be ignoring the timeout value and garbage collect data after a fairly short time (less than 12 hours). What could be the problem?
'session' => array(
'class'=> 'CDbHttpSession',
'autoCreateSessionTable' => true,
'autoStart'=>true,
'timeout' => 1209600,
'cookieMode' => 'only',
'sessionName' => 'ssession',
),
May be this is what you are looking for
Setting the timeout for CHttpSession just sets the
session.gc_maxlifetime PHP setting. If you run your application or
Debian or Ubuntu, their default PHP has the garbage collector disabled
and runs a cron job to clean it up.
In my apps I set the session dir somewhere in protected/runtime to
separate my session from other apps. This is important on shared
hosting sites and it's a good habbit. The downside is that I have to
remember to set up a cronjob to clean the files in that folder.
Anyway, you should also set a timeout when calling CWebUser.login to
log in a user.
from Yii Forum Post
Check duration parameter in CWebUser.login

Apache making the session time out longer

I already altered my php.ini in Apache to have these settings:
session.gc_maxlifetime = 1440
session.cache_expire = 1500
But my sessions are not that long. The problem is that I am not certain which settings would "do the trick"
Ideally I am looking for the right configuration to have the session last 12 hours. Could anyone help me with that?
do you also have set session.cookie_lifetime = 0 ?
and maybe somewhere in your scripts or some included scripts the session lifetime is set to another value?
The default "0" value means that the cookie stays alive until the browser is closed. This is also the default value, if not set in php.ini.
Source: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
session.gc_maxlifetime is measured in seconds, so your setting of 1440 will expire after 24 minutes. (see: http://php.net/session.gc-maxlifetime)
For 12 hour session I believe you need:
session.gc_maxlifetime = 43200
session.cache_expire = 720
session.cookie_lifetime = 0
Have a look at:
session.cookie_lifetime x
Where x is the lifetime in seconds
Also, if you are on a shared host, make sure the session data under /tmp is not removed by the host with some sort of clean script. Some hosts clear /tmp every 10 minutes.

Auth timeout problems with CakePHP

This is really bugging me. Has been for years. No matter what I do with core.php or php.ini, my logins timeout after about an hour - usually. Some deployments of identical code and configuration timeout after a respectable amount of time.
This is what I have at the moment on one site - timed out after about an hour:
session.gc_divisor 1000
session.gc_maxlifetime 86400
session.gc_probability 1
Configure::write('Session.timeout', '28800');
Configure::write('Session.checkAgent', false);
Configure::write('Security.level', 'medium');
And another - lasted all night:
session.gc_divisor 100
session.gc_maxlifetime 14400
session.gc_probability 0
Configure::write('Session.timeout', '315360000');
Configure::write('Session.checkAgent', false);
Configure::write('Security.level', 'medium');
Now, before you get excited and say, "Well, the answer is there in the Session.timeout value", let me tell you that this site usually times out after about twenty minutes!
Somewhere I read that on shared hosting, other applications can reset the session by clearing the php-defined session directory. This was alluded to by Rowlf in his answer.
CakePHP offers the option to configure the way sessions are handled. In core.php I changed this to 'cake' (by default it is 'php'):
/**
* The preferred session handling method. Valid values:
*
* 'php' Uses settings defined in your php.ini.
* 'cake' Saves session files in CakePHP's /tmp directory.
* 'database' Uses CakePHP's database sessions.
*/
Configure::write('Session.save', 'cake');
I also ensured that the session timeout and the corresponding php.ini values are the same:
/**
* Session time out time (in seconds).
* Actual value depends on 'Security.level' setting.
*/
Configure::write('Session.timeout', '86400');
So far, the system hasn't logged out.
I don't think this is a Cake-specific thing; I've seen it when no frameworks were involved - it's most likely an issue with your PHP config settings.
Things you should check/do to fix the issue:
Specify a dedicated path to store
sessions in session.save_path if you don't already do so.
Don't store them in /tmp - some other process may come along and wipe them
for you.
Make sure (and I mean really sure) that the value of session.gc_maxlifetime is what you think it is (86400 if you want your logins to time out after 24 hrs of inactivity, etc.). Same with session.gc_divisor and session.gc_probability. Even though the PHP Manual specifies that session settings can be set on any level, depending on the dodginess of your PHP build (they're all slightly buggy in their subtle ways :)) you may find they don't actually take effect unless set in the global php.ini file as opposed to in the code, .htaccess, etc. Just output them in your actual app to be sure they are applied.
Also, depending on your environment, check if the PHP CLI build is using the same php.ini file as the default PHP build - if the CLI build is using another config file and you have cron jobs using the CLI build, the cron job scripts could be invoking the session cleanup procedure.
If you have many CakePHP apps on the same server, this can be the cause of you troubles. Don't forget to :
Prefix each app differently ($prefix on core.php).
Change the name of each cookie path :
Configure::write('Session', array(
'defaults' => 'php',
'timeout' => 4320,
'ini' => array(
'session.cookie_path' => '/name_app', // this for each app
)));

Categories