I have a social website. People use login with username and password. I am creating a session when they log in but some time later session time ends and they have to log back in again. I used the code below to make this time longer but still sometime later session time runs out. I checked SESSID with cromes cookie viewer and saw session still has time but in the browser it does not see that time. I hope i explained my problem well. Here is the code to create the session on login:
$lifetime=3600*24*7;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
You need to take a look at: session.gc_maxlifetime in your configuration. This needs to have a high enough value, to keep the session alive. Also if you are using Memcache or some other caching for your sessions, the TTL there needs to be set, too.
Related
I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.
After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :
[PHPSESSID] => svikos35bgclmebk2cqraiddt2
But session is empty.
I got this form modx stuff:
MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.
I am using modx revo. It is a bit descriptive question. let me know you need something else.
Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance
This only happens after a day?
Could tmpwatch be deleting session files from the server?
session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.
You need to recreate $_SESSION after login (and autologin) if it doesn't exists.
Check this article (in russian, try google translate:
PHP GC: unexpected behavior
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
...or do you only need to start a new session?
I've been given the task of fixing a bug that causes sessions to expire even though the session.gc_maxlifetime is set to 8 hours (It does get set, i've checked).
After going through the code, i noticed that session_start() is called on every load, as predicted, but the login-data sessions are only set when the user logs in.
Do i need to set the user data sessions on every page load for the session-lifetime to reset?
I need the session to be alive for 8 hours, even if the page doesn't reload.
You need to set the session variable again.
One method, use $_SESSION['last_click_time'] = time(); and compare it. If it's outdated, refresh the session variable, log the user back in, etc etc.
You are probably using the default location for session files and it's a temporary directory shared by all web sites on the server. In that case, the site with shortest session.gc_maxlifetime will probably remove session data from all sites. The reason is that there's no way to determine what site owns what session file.
You'll need to create a custom directory for sessions and specify it with session.save_path
This may seem trivial.
What will happen to a session that was never destroyed/unset/write_close-d?
Lets just say I have set the session to never time out. What will happen to the session if person finds himself at the login page and logs in using different credentials. Also just for the testing purpose, the login page doesn't have redirect if session is set.
Will it overwritten and destroyed or never destroyed?
If your login sets all of the session variables, the session will be effectively destroyed by the new values.
If there is a variable that's in the session that isn't overwritten by the login, then it will persist. The session is overwritten rather than destroyed and set again.
if he logs in using different credentials with an already started session, the session will be simply overriden...
in the case, that the user deletes his cookies etc., a new session will be generated and the old one MAYBE will retain as session-file or in DB...
(depends on the php-settings)
Sessions will be destroyed implicitly after timeout. The number of seconds for timeout can be specified in php.ini . Default is 1440 seconds or 24 minutes.
You have to set some arbitrarily large value for session.gc-maxlifetime to seemingly never time out.
If you let someone else to go through the login process, it must overwrite the existing session. But all this ultimately depends on your code.
I made a website with login features, but sometimes users are automatically logged out. I have other websites and have never experienced this issue before. My website is hosted. My session script is
if(#username and password is match#)
$_SESSION['front_end_user'] = $username;
The difference between this website and my other website is that in this website I use full jquery interaction. Could this effect the session? If not what is the problem?
I have checked all my pages and there are no session_destroy or unset statements.
The session usually expires after 24 minutes. By the way you can set this session timeout to last more, but I'd not suggest this. I'd use a cookie solution. (For this google "remember me tutorial" and you'll find out).
I think this is session time out. Your session is timing out after a certain amount of time and this is a normal behaviour of all applications.
PHP's default session time out value is 24 minutes. This mean that session will be timed out after the inactivity of 24 minutes.
Although you can increase session time out limit but note that should not be big amount.
I'm using login function in my site with session.
This session of mine gets expired after a few minutes irrespective of whether the user has logged out or not.
Now what I want is that the session should only get expired when a user logs out. If a user doesn't log out his account and then comes back after 2-3 days, even then he should appear logged in.
I have found some examples where they have increased the time for a session to expire but I want that it should only expire on the log out event by the user irrespective of the time he took to log out.
How can I do that?
In particular, is this the right way to do so?
session_cache_expire(0);
session_start();
A solution that is often used, in this situation, is to:
have a not-too-long session duration: it will expire if the user is not active (that's just the way it works -- and that's better for your server if you have lots of users)
when user logs in, you set a cookie that contains what is needed for him to be recognized
if he comes back on the site (with the cookie, and without having an active session), you use the informations contained in that cookie to auto-log him in, re-creating the session at the same time.
This way:
you don't have thousands of sessions "active" with no good reason
you keep the standard way sessions work
And you have the advantage of "never being logged out", at least from the user's point of view.
Also note that with "normal" sessions, the cookie containing the session id will be deleted when the user closes his browser -- so, he will be disconnected, no matter how long the session's lifetime is.
With the solution I propose, you are the one who sets up how long the cookie should remain on the user's computer ;-)
It means, though, that when a user manually logs-out, you have to delete both his session and the cookie, of course -- so he's not immediatly re-auto-logged-in.
Of course, you have to be careful about what you set in the cookie: a cookie is not quite secure, so don't store a password in it, for instance ;-)
Actually, this way of doing things is how the "remember me" feature often works; except, here, your users will not have to check a checkbox to activate "remember me" ;-)
If you don't have the time to develop that kind of stuff, a pretty quick and dirty way is to use some Ajax request on all your pages, that will just "ping" a PHP page on the server -- this will keep the session active (but it's not quite a good way of doing things: you'll still have LOTS of sessions on the server, you'll have lots of useless requests... and it will only work as long as the user doesn't close his browser).
You can't do that with the PHP internal session handling alone. PHP will always send out the session id in a session-cookie which will expire when the user closes his browser. To achieve some sort of auto-login you'll need some accompanying code that sets a longer-lasting cookie on the user's browser and handles the recognition of these cookies and the mapping between the cookies value and the respective user account.
Please note that this greatly affects security issues so you'll have to take care of a lot of things. Please read the following on how a possible auto-login feature could be working:
Persistent Login Cookie Best Practice
Improved Persistent Login Cookie Best Practice
Do you remove your cookies while testing? Are cookies enabled? Do you destory the session somewhere in your code?
Also, see my answer to another post: Quick question about sessions in PHP which explains how to stay signed in. Just don't do a cronjob/sheduled task if you want the user to stay logged in forever.