Last night I logged in and the following morning I was still logged in, even if I quit my browser. I want the session to expire after a few hours and I thought that it would work with "session.gc_maxlifetime" set to "1440" and "session.cache_expire" set to "180"
Here is what I could find from PHP.ini
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx
session.auto_start Off
session.bug_compat_42 Off
session.bug_compat_warn Off
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_httponly Off
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure Off
session.entropy_file no value
session.entropy_length 0
session.gc_divisor 1000
session.gc_maxlifetime 1440
session.gc_probability 0
session.hash_bits_per_character 5
session.hash_function 0
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /var/lib/php5
session.serialize_handler php
session.use_cookies On
session.use_only_cookies On
session.use_trans_sid 0
On our old server we used the same settings and the sessions worked.
The only difference from the old one is the "session.save_handler" that is set to "memcache" on the old server. Also "session.save_path" is different.
Relying on other things and hope them to work is not my thing. :D I think that the best solution would be to implement a session timeout on your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Updating the session data with every request does also change the session file’s modification date so that the session is not removed by the garbage collector prematurely.
~Foorack
It may help to change gc_probablity to something other than 0.
From the manual for gc_divisor:
session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.
If I'm reading from this right, with gc_probability being 0, the garbage collector is never run, rendering gc_maxlifetime useless.
GC is an expensive process for file-based sessions, so it's not a good idea to run it on every request, [edit: so PHP has a built in randomization to run it periodically]
Addendum:
For anything with real security implications, it's likely better to handle invalidating the session in your script, as Max's answer suggests. Also session.cache_expire sets the default expiration for session pages that are sent to the browser, and doesn't affect session storage at all.
Given you've reset gc_maxlifetime, a couple of things i can think of left to check when this happens:
PHP needs a restart
session is recreated/regenerated somewhere
Related
Can someone please tell me how long my session will last from the data below? - I'm not sure which one tells me
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/session /var/lib/php/session
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.
Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.
Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.
This is the one. The session will last for 1440 seconds (24 minutes).
session.gc_maxlifetime 1440 1440
If session.cookie_lifetime is 0, the session cookie lives until the browser is quit.
EDIT: Others have mentioned the session.gc_maxlifetime setting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than session.gc_maxlifetime seconds. To set the time-to-live for the session cookie, call session_set_cookie_params() or define the session.cookie_lifetime PHP setting. If this setting is greater than session.gc_maxlifetime, you should increase session.gc_maxlifetime to a value greater than or equal to the cookie lifetime to ensure that your sessions won't expire.
You're searching for gc_maxlifetime, see http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime for a description.
Your session will last 1440 seconds which is 24 minutes (default).
I need to see the cart of products, and I need to do a first load by PHP and the rest of queries (updates by deleting a product or similar) by jQuery post.
Ok, there's the problem.
[I get variables by JSON on the same php file "any.php"]
The first PHP load doesn't work , when I do the first isset($_COOKIE) on PHP (by curl) and returns NULL, but.. if I call the method .post("any.php") on jQuery PHP, it returns the cart with products.
For add the products I use PHP function
setcookie($cookieName, $createcart, $cookieExpire);
Cookie Params:
session_set_cookie_params(
time()+3600,
'/',
'.test.com',
0,
0
);
setCookie (createcart is the json value):
setcookie($cookieName, $createcart, $cookieExpire);
PHPINFO
session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain .test.com.pe no value
session.cookie_httponly Off Off
session.cookie_lifetime 1379499657 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/session /var/lib/php/session
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
From: http://php.net/manual/en/function.setcookie.php
Common Pitfalls:
Cookies will not become visible until the next loading of a page that
the cookie should be visible for. To test if a cookie was successfully
set, check for the cookie on a next loading page before the cookie
expires. Expire time is set via the expire parameter. A nice way to
debug the existence of cookies is by simply calling
print_r($_COOKIE);.
See also: How can I set a cookie and then redirect in PHP?
Maybe the problem is the path of the cookie. You need write it for work correcly in the whole pages.
path
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain. If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain. The default value is the current directory that the cookie is being set in.
from http://www.php.net/manual/en/function.setcookie.php
I already altered my php.ini in Apache to have these settings:
session.gc_maxlifetime = 1440
session.cache_expire = 1500
But my sessions are not that long. The problem is that I am not certain which settings would "do the trick"
Ideally I am looking for the right configuration to have the session last 12 hours. Could anyone help me with that?
do you also have set session.cookie_lifetime = 0 ?
and maybe somewhere in your scripts or some included scripts the session lifetime is set to another value?
The default "0" value means that the cookie stays alive until the browser is closed. This is also the default value, if not set in php.ini.
Source: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
session.gc_maxlifetime is measured in seconds, so your setting of 1440 will expire after 24 minutes. (see: http://php.net/session.gc-maxlifetime)
For 12 hour session I believe you need:
session.gc_maxlifetime = 43200
session.cache_expire = 720
session.cookie_lifetime = 0
Have a look at:
session.cookie_lifetime x
Where x is the lifetime in seconds
Also, if you are on a shared host, make sure the session data under /tmp is not removed by the host with some sort of clean script. Some hosts clear /tmp every 10 minutes.
I have an application that has been working with session variables no problem. I start the session before the headers on every page that uses when, it has been fine then it seems all of a sudden I'm getting an undefined index error when I navigate to a page other than the one that sets up the session variables. But only on some browsers. Sometimes sessions are maintained and sometimes they aren't.
It seems that cookies aren't being stored some of the time. I've done checks using different browsers and sometimes cookies are stored and sometimes not.
I did an experiment. I was using firefox to use to app and I was keeping an eye on the tmp folder where the sessions are stored. I cleaned it out. Using firefox I started using the app, using all the pages that sessions were in use and at the end I checked the tmp folder and it had one session file in there.
Did the exact same with internet explorer and there are now 7 different session files.
I'm using PHP 5.3.0 with the WAMP stack. Apache 2.2.11. Session support is enabled in my phpinfo().
I call a var dump on the first page and it prints out the session data. On any subsequent pages the session variable is empty.
<?php var_dump($_SESSION); ?>
array(0){}
Can anyone help me figure out a solution to this?
UPDATE - PHP INI SESSION settings
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain 82.68.26.169 82.68.26.169
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
UPDATE - Solution
Because my app was using iframes pulling in pages from another domain (which i created) the cookies i was trying to set were being blocked. Setup a P3P header and the problem seems to be solved!
My suggestion from your previous question still stands: please compare session ids.
The solution might be as simple as your browser not accepting session cookies.
You retrieve the session id by calling session_id(). Do that right after session_start() it should give you a constant value if the session is the same. Otherwise for every request a new session is instantiated.
Also check C:\wamp\tmp. A gazillion files in this directory might indicate fresh sessions for each request.
EDIT Since we've confirmed new sessions per request, it's time to find out whether session cookies are accepted. Check the settings of your browser and confirm that a cookie for your domain (I guess it's "localhost") with the name PHPSESSID can be found.
Do you call session_start() on every page that accesses session data?
Edit: And do you receive the same session ID every time?
Also, could there be some error or warning you're missing (e.g. headers already sent) due to settings?
here is the sense in
while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC))
{
$_SESSION['saveddata'] = $row;
}
it rewrites $_SESSION['saveddata'] value on each iteration. may be you meant something like
$_SESSION['saveddata'][] = $row;
it makes sense for $atid = $_SESSION['saveddata']['autotaskid'];
Review your session settings. You have a full list with:
<?php
phpinfo();
?>
Scroll down to the "Session" table.
Particularly, make sure that the session.save_path directory exists and is writeable.
When a new session ID is created with each request, most likely it is an issue with your session paths (save_path and cookie_path) and chances of this happening are greater if you're hosting different applications on one server (shared hosting) and some of these applications also implement sessions.
This results in conflicts in your /tmp directory.
You could change the config of your ini file, but it's best to configure these parameters during runtime.
session_set_cookie_params(0, "/app", ".domain.com");//set session cookie parameters
session_save_path("/home/../public_html/app/sess");//set directory of this app's session data
session_start();//start session
I hope that helps everyone having this issue. #CodeOn
I solved this problem on my local WAMP by clearing out the \tmp directory of old sessions.
Can someone please tell me how long my session will last from the data below? - I'm not sure which one tells me
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/session /var/lib/php/session
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.
Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.
Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.
This is the one. The session will last for 1440 seconds (24 minutes).
session.gc_maxlifetime 1440 1440
If session.cookie_lifetime is 0, the session cookie lives until the browser is quit.
EDIT: Others have mentioned the session.gc_maxlifetime setting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than session.gc_maxlifetime seconds. To set the time-to-live for the session cookie, call session_set_cookie_params() or define the session.cookie_lifetime PHP setting. If this setting is greater than session.gc_maxlifetime, you should increase session.gc_maxlifetime to a value greater than or equal to the cookie lifetime to ensure that your sessions won't expire.
You're searching for gc_maxlifetime, see http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime for a description.
Your session will last 1440 seconds which is 24 minutes (default).