When my users login, I want to set the amount of time before the session expires.
I've accomplished this by setting the lifetime in session_set_cookie_params.
When I look at the cookie's expiration date it says:
Saturday, December 8, 3296 at 11:45:08 AM
But when I come back after an hour the cookie is there but my site won't recognize it. Why won't my site recognize or use the cookie?
Cookie contains only session identifier. The data itself is stored on server side. PHP periodically deletes expired sessions. When you're returning after one hour, session data is already lost and session ID from your cookie can't match to anything.
Chck out session.gc_maxlifetime (http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) for more info.
Related
I am developing a simple php website named : http://www.dopanchat.com
In this site I used session to develop the login system, everything work fine but after some amount of time (for example, after 1 hour) the session expires automatically and user logged out from my site.
I don't know if it's server problem or anything else.
please help me to resolve this problem, you can check here : http://www.dopanchat.com
Extending your session timeout is an approach but I won't recommend to expand it too much :)
Instead your application could detect user activities and refresh the session expiry time accordingly.
After all it doesn't really matter what is the session's timeout at some point user will lose the authentication due to the expired session.
Basically the expiry count down always starts after user's last action and not from the moment s/he logged in to your system.
Try this :
// Time in secondes before the session expires
ini_set('session.gc_maxlifetime', 3600);
// Time in secondes before the ID's session in the cookie expires
session_set_cookie_params(3600);
// Start session
session_start();
If think this gonna work. Tell me if it work !
(Sorry for my bad english :D)
you can extend session expire time by adjusting php.ini file as follows
session.gc_maxlifetime=86400 //1 day
session.gc_divisor=5000
session.gc_probability=1
gc_divisor and gc_probability are responsible for cleaning expired session files, by above config session will valid for 1 day
I'm a bit confused with this,
Say the session has been started with default php ini settings where gc_maxlifetime is 1440 seconds. And i supposed to use remember me functionality with this, to which i set cookie lifetime as 14 days. As long as the session max life time set to 24 minutes which is obviously lesser than cookie life time (14 days), after 10 days (for example) the session likely (of course depends on gc probability) to be expired and would have no reference to the session id the remember me cookie has.
So how would setting a remember me cookie lifetime longer than the session lifetime remember/resume the session? or do i need to change the session max lifetime according to the cookie lifetime?
Generally a "remember me" cookie is a persistent cookie, not a session cookie. It contains some encrypted information which allows an automatic login action to occur. i.e. When there is no active session already, but the "remember me" cookie is present, then a new session will be started.
The session GC function will delete session data (which is by default kept in plain text files), while the cookie settings will delete the cookie that keeps the session id.
In order for a session to be active, its data file, and a cookie with its ID must exist (AFAIK).
I want to set joomla front end session to never expire automatically.I am thinking that session time out limit should be 45 days so that users visiting site even after 44 days they still be logged in.I set session timeout limit in back end in the global configuration to expire in 64800 minutes and also I updated the session.gc_maxlifetime to say 3888000 but still it is not working.
Joomla creates the cookie with the name d58ba4091c622661a0d46f03b412ac8b and expiry time says 'At end of session'.
This means that session will expire whenever a user close the browser.
Expiry time should be changed for this cookie according to configuration settings but it still say At end of session .
for an example how stackoverflow session works I need to do in same way.
Is there any way to change this cookie life time from 'At end of session' to something I want?
Should I hard code time limit where this cookie come in existences or how to do this?
Thanks.
Use this plugin:
http://extensions.joomla.org/extensions/administration/admin-desk/13982
You definitely don't want to make the session never expire because this will cause all kinds of server and security issues. You need to change the expiration of the cookie to some date in the future. The easiest way to do this would be a plugin that checks for the cookie and updates the exiration.
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.
i wonder, how i can remove all certain cookies after (e.g. : 10 minutes) inactivity .
im working on securing a php project and one of the steps are this
i should remove administration cookies and session saved in mysql after certain amount inactivity time in php/mysql project
is there any suggestion !?
Well, you should never be storing anything important in cookies, so you should really only have a Session ID stored as a cookie.
Simply set that cookie to expire in 10 minutes. Store that same timestamp in your database.
After, say, 5 minutes, do what you need to do, then set the cookie to expire in another 10 minutes and update the session
After, say, 11 more minutes, the cookie won't be provided, and you can forward the user to your "not authenticated page".
In a cron job or on every page load, delete any sessions that have an expiry time in the past.
save a random string both in cookie and in db, in db also save the expire time..
when a client perform a request get the string from cookie and check the concerning expire time in db...
if time is passed destroy the cookie, otherwise not...
<?php
//retrive cookies if exist the hash stored in it.
//cookie don't exist save the cookie
if(!$_COOKIE){
//create a random string in $rnd_string and the expire date in $data
setcookie("hash", $rnd_string);
//sql connection here
//adding rows to db..
mysql_query("INSERT INTO table (expiredate, hash) VALUES ('".$data."','".$rnd_string."')");
}
else{
//here the code if cookie exist
$hash=$_COOKIE['hash'];
//sql connection here
//retrieving row from db
$result=mysql_fetch_array(mysql_query("SELECT expiredate FROM table WHERE hash='".$hash."'"));
//in $result['expiredate'] you'll have the expire date, check this with server time and decide if is session is valid or not...
}
Couldn't you just set the cookies on every page to expire in 10 * 60?