I have a cookie that appears to be getting created correctly, listed in chrome as
Created: Tuesday, January 22, 2013 4:17:01 PM
Expires: Thursday, May 2, 2013 5:17:22 PM
I see the session file in the tmp folder on my server, and I can close and re-open the browser and remain logged in. However, after several hours of inactivity, the session file appears to get deleted from the tmp folder.
I solved a previous problem where the session was getting overwritten (session file still existed, but size was 0 bytes) because a script called by jquery function was not preserving the session data. However, in this case the session file disappears.
How can I fix this problem?
Every session has a limited lifetime. In PHP this lifetime can be set by
ini_set( 'session.gc_maxlifetime', seconds );
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).
http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
Dont set this to very high values (days or months)
If you want to auto-login your users, save a token into a users cookie and create a new session when the old one is gone.
Might want to read this
Designing a secure auto login cookie system in PHP
and this
Creating a secure login using sessions and cookies in PHP
Related
I have a simple question to which I couldn't find the answer on this page:
https://codeigniter.com/userguide3/libraries/sessions.html#how-do-sessions-work
That is why I ask it here.
But first, let's assume that session will expire in 600 seconds (10 minutes).
So, when the session cookie will actually expire?:
from the first time I open a Codeigniter website and use it for 10 minutes, or
10 minutes after I stop opening pages on that website
Another question if the answer is 1:
Can I somehow extend the session every time the user access the website?
Another question if the answer is 2:
what is happening with sess_time_to_update? Can I extend the life of session_id to match the life of the session too?
Assuming $config['sess_expiration'] = 600; (10 minutes), the session cookie will expire 10 minutes after the last time you accessed the page, or "answer 2" as you called it.
sess_time_to_update controls how long before the session ID is changed, but that has nothing to do with expiration and is entirely transparent to you and/or the user - the ID itself will be changed for security purposes, but all other attributes will be preserved.
The "life of session_id" and "life of the session" are one and the same thing; there will never be a mismatch between them. A file or database record of the expired session may remain for a bit on the server, until the garbage collector clears it up, but without an ID stored in the cookie you effectively have no active session.
So in this zend 1 application, when I go to start page, I can see that there is a cookie named PHPSESSID.
I then log in (a custom login) and the user can go through protected pages.
But if he is inactive for more than 30 minutes, when then requesting a protected page the application will redirect him to login page.
What I was focusin on was the PHPSESSID. Which initially was set to 30 minutes. I increased that by adding "28800" to what seems to be a global call to setcookie.
When I then reloaded the page, I could see that PHPSESSID would expire after 8 hours.
Despite this, the use is still being logged out after 30 minutes.
So changing cookie expiration didn't gave anything.
What's next? Changing the php session duration?
Current relevant values are:
session.cache_expire: 180
session.gc_divisor: 1000
session.entropy_length:32
session.gc_maxlifetime: 14400
session.gc_probability:1
session.name: PHPSESSID
Or is this related to the framework itself? Somewhere in Zend to adjust the expiration of the session?
If you are using zend then try this.
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());
$authns->setExpirationSeconds(60 * 30); //expire auth storage after 30 min
}
If you have multiple php site storing session files in the same dir - php gc processes may have different set for session. In this case store session files in another, only for you site, directory.
When my users login, I want to set the amount of time before the session expires.
I've accomplished this by setting the lifetime in session_set_cookie_params.
When I look at the cookie's expiration date it says:
Saturday, December 8, 3296 at 11:45:08 AM
But when I come back after an hour the cookie is there but my site won't recognize it. Why won't my site recognize or use the cookie?
Cookie contains only session identifier. The data itself is stored on server side. PHP periodically deletes expired sessions. When you're returning after one hour, session data is already lost and session ID from your cookie can't match to anything.
Chck out session.gc_maxlifetime (http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) for more info.
I have set session timeout time for 20 Minutes as below.Sometime the session timeout is happening in two or three minutes.
ini_set('session.gc_maxlifetime', 1200);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
What could be the issue?
The 20 minute expiration does not reset when the user browses other pages. The problem is explained in this comment:
As PHP's Session Control does not handle session lifetimes correctly
when using session_set_cookie_params(), we need to do something in
order to change the session expiry time every time the user visits our
site. So, here's the problem.
$lifetime=600;
session_set_cookie_params($lifetime);
session_start();
This code doesn't change the lifetime of the session when the user
gets back at our site or refreshes the page. The session WILL expire
after $lifetime seconds, no matter how many times the user requests
the page. So we just overwrite the session cookie as follows:
$lifetime=600;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
And now we have the same session cookie with the lifetime set to the
proper value.
Better, leave the session.cookie_lifetime to 0 so that the cookie expires when the browser is closed. Otherwise, users who assume that closing the browser will end their session will be surprised when they re-open their browser before the 20 minute timeout.
Edit regarding gc_xxxx settings
gc_probability = 1, gc_divisor = 1, gc_maxlifetime = 1200
1/1 implies PHP will check the date of session files for every session_start call.
gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200
1/100 means PHP will check the date of session files randomly but approximately once per 100 session_start calls.
The date check itself consist of comparing session file's accessed time with gc_maxlifetime; it deletes the file if wasn't accessed in the past (e.g.) 20 minutes.
Having said that, if the cookie expires because of timeout (or closing of browser when timeout was 0) the session expires immediately since the browser stops sending the expired session id cookie; in which case PHP issues a new session id cookie. The session id file associated with the expired cookie becomes abandoned, does not get accessed anymore; therefore garbage collected anytime as described above.
Last, your specific issue can be resolved (i) by looking at the expiry date of session id cookie (ii) and remembering that cookies with timeout are not renewed when page is visited/refreshed.
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.