So in this zend 1 application, when I go to start page, I can see that there is a cookie named PHPSESSID.
I then log in (a custom login) and the user can go through protected pages.
But if he is inactive for more than 30 minutes, when then requesting a protected page the application will redirect him to login page.
What I was focusin on was the PHPSESSID. Which initially was set to 30 minutes. I increased that by adding "28800" to what seems to be a global call to setcookie.
When I then reloaded the page, I could see that PHPSESSID would expire after 8 hours.
Despite this, the use is still being logged out after 30 minutes.
So changing cookie expiration didn't gave anything.
What's next? Changing the php session duration?
Current relevant values are:
session.cache_expire: 180
session.gc_divisor: 1000
session.entropy_length:32
session.gc_maxlifetime: 14400
session.gc_probability:1
session.name: PHPSESSID
Or is this related to the framework itself? Somewhere in Zend to adjust the expiration of the session?
If you are using zend then try this.
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());
$authns->setExpirationSeconds(60 * 30); //expire auth storage after 30 min
}
If you have multiple php site storing session files in the same dir - php gc processes may have different set for session. In this case store session files in another, only for you site, directory.
Related
I have tried lots of suggestions and alternatives, from controlling via php code and server configuration to keeping sessions on my website active for a maximum of 4 hours (without user interaction). The methods I've been using just don't work. After the session start, if there is no user activity, in 30 minutes the session is automatically destroyed when my goal is 4 hours maximum.
Options after Research I've tried:
in the past it could easily solve it with Meta Refresh directly in the HTML, but it was giving a very boring user experience, because the forms restarted every 15 minutes.
<meta http-equiv="refresh" content="900">
I'm currently trying to configure via setcookie and php.ini configuration, but the session won't hold for the 4 hours (14400 seconds) that i need. The expiration time is well defined in the Cookies in the browser (as you can see in the image), but in practice what happens is that it just can keep alive a maximum of 30 min (without any user activity). - am I missing some important detail?
<?php
session_start();
$start = time();
$expire = $start+14400;
session_regenerate_id();
setcookie(session_name(),session_id(),$expire);
// code continues
?>
php.ini - config
date.timezone = "Europe/London"
session.cookie_httponly = 1
session.name = "SID"
session.gc_maxlifetime = 14400
session.save_path = "/opt/alt/php74/var/lib/php/session"
Cookie Info in Browser
I am developing a simple php website named : http://www.dopanchat.com
In this site I used session to develop the login system, everything work fine but after some amount of time (for example, after 1 hour) the session expires automatically and user logged out from my site.
I don't know if it's server problem or anything else.
please help me to resolve this problem, you can check here : http://www.dopanchat.com
Extending your session timeout is an approach but I won't recommend to expand it too much :)
Instead your application could detect user activities and refresh the session expiry time accordingly.
After all it doesn't really matter what is the session's timeout at some point user will lose the authentication due to the expired session.
Basically the expiry count down always starts after user's last action and not from the moment s/he logged in to your system.
Try this :
// Time in secondes before the session expires
ini_set('session.gc_maxlifetime', 3600);
// Time in secondes before the ID's session in the cookie expires
session_set_cookie_params(3600);
// Start session
session_start();
If think this gonna work. Tell me if it work !
(Sorry for my bad english :D)
you can extend session expire time by adjusting php.ini file as follows
session.gc_maxlifetime=86400 //1 day
session.gc_divisor=5000
session.gc_probability=1
gc_divisor and gc_probability are responsible for cleaning expired session files, by above config session will valid for 1 day
I have set session timeout time for 20 Minutes as below.Sometime the session timeout is happening in two or three minutes.
ini_set('session.gc_maxlifetime', 1200);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
What could be the issue?
The 20 minute expiration does not reset when the user browses other pages. The problem is explained in this comment:
As PHP's Session Control does not handle session lifetimes correctly
when using session_set_cookie_params(), we need to do something in
order to change the session expiry time every time the user visits our
site. So, here's the problem.
$lifetime=600;
session_set_cookie_params($lifetime);
session_start();
This code doesn't change the lifetime of the session when the user
gets back at our site or refreshes the page. The session WILL expire
after $lifetime seconds, no matter how many times the user requests
the page. So we just overwrite the session cookie as follows:
$lifetime=600;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
And now we have the same session cookie with the lifetime set to the
proper value.
Better, leave the session.cookie_lifetime to 0 so that the cookie expires when the browser is closed. Otherwise, users who assume that closing the browser will end their session will be surprised when they re-open their browser before the 20 minute timeout.
Edit regarding gc_xxxx settings
gc_probability = 1, gc_divisor = 1, gc_maxlifetime = 1200
1/1 implies PHP will check the date of session files for every session_start call.
gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200
1/100 means PHP will check the date of session files randomly but approximately once per 100 session_start calls.
The date check itself consist of comparing session file's accessed time with gc_maxlifetime; it deletes the file if wasn't accessed in the past (e.g.) 20 minutes.
Having said that, if the cookie expires because of timeout (or closing of browser when timeout was 0) the session expires immediately since the browser stops sending the expired session id cookie; in which case PHP issues a new session id cookie. The session id file associated with the expired cookie becomes abandoned, does not get accessed anymore; therefore garbage collected anytime as described above.
Last, your specific issue can be resolved (i) by looking at the expiry date of session id cookie (ii) and remembering that cookies with timeout are not renewed when page is visited/refreshed.
...or do you only need to start a new session?
I've been given the task of fixing a bug that causes sessions to expire even though the session.gc_maxlifetime is set to 8 hours (It does get set, i've checked).
After going through the code, i noticed that session_start() is called on every load, as predicted, but the login-data sessions are only set when the user logs in.
Do i need to set the user data sessions on every page load for the session-lifetime to reset?
I need the session to be alive for 8 hours, even if the page doesn't reload.
You need to set the session variable again.
One method, use $_SESSION['last_click_time'] = time(); and compare it. If it's outdated, refresh the session variable, log the user back in, etc etc.
You are probably using the default location for session files and it's a temporary directory shared by all web sites on the server. In that case, the site with shortest session.gc_maxlifetime will probably remove session data from all sites. The reason is that there's no way to determine what site owns what session file.
You'll need to create a custom directory for sessions and specify it with session.save_path
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.