Php sessions appear to get dropped/lost on regeneration - php

I'm using 24 hour sessions at the moment to keep users logged in, if they browse to another page of the site after 30 minutes of the session starting then the session will be regenerated to extend the session expiration time to time() + 24 hours.
I am using php.ini to ensure only cookie sessions are used and altered their default save time to just over 24 hours:
session.gc_maxlifetime = 90000
session.cookie_lifetime = 90000
session.use_trans_sid = 0
session.use_only_cookies = 1
I use the following to being a session:
session_save_path("/home/user/sessions");
session_set_cookie_params("86400", "/");
session_name("auth");
session_start();
but at the moment my sessions seem to get lost within the first hour. The cookie auth is still there but it doesn't seem to link to the information that was stored when the session was made:
$_SESSION['userId'] = $row[0];
$_SESSION['created'] = time();
This leads me to think that the regeneration part is somehow incorrect?
To regenerate a cookie after 30 minutes I am using:
if($_SESSION['created'] + 30 * 60 < time())
{
session_regenerate_id();
$_SESSION['created'] = time();
}
Does the above code need to have some way to keep the session id after regeneration?
Like:
$sid = session_id();
session_regenerate_id();
session_id($sid);
session_start();
or is this not necessary? Are there any other reasons my sessions could be getting lost/mixed up?

Session lifetimes are (usually) dependable. But since you mention that they seem to be getting wiped out within an hour, it makes me think that the server is running a debian or debian derived OS.
On our server (running ubuntu 10.10), sessions get cleaned out every half-an-hour by the system through a cron job, whether or not the session is still valid. The only way around it is by creating your own session handler.
If the server is not debian based, then I'd have to say I don't know.

Interesting, when a session is created it stores a session file in the temporary folder on the server, if this file is deleted or removed then the session would be lost, could this be happening?
A work around for this would be to set a cookie valid for 24 hours with a unique pair of values that you can store against a user, that way when they return if the session has been destroyed they will still be logged in as the script would match the data from the cookies to the data held in the database.
What information are you storing in the session as this would also be lost.

Related

keep session active when going to other website

Ok, so here is the problem.
I have a website with a member login and a payment module. The member can buy stuff, but only when he's logged in (with sessions).
When the member wants to pay, he is redirected to another page of the payment provider (mollie). So for a brief amount of time, he leaves my website.
When the payment is done, he is automatically sent back to my website. And that's where the problem occurs: he is logged out.
How can I keep the sessions alive?
<?php
if(isset($_SESSION['member']) && $_SESSION['time']+300 > time()){
// logged in
}
?>
Anyone an idea?
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
When you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
i would also try something with using the session_set_cookie_parameters() to give the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.
i think the easiest way for you is that instead of just session_start we should input this on each page there is a session
$expire = 365*24*3600; // We choose a one year duration
ini_set('session.gc_maxlifetime', $expire);
session_start(); //We start the session
setcookie(session_name(),session_id(),time()+$expire);
//Set a session cookies to the one year duration
The problem is solved! It was an issue with 'www' and 'non-www'.
I added the following code:
session_set_cookie_params(0, '/', '.mydomain.com');

How to make session valid for a certain amount of hours

So in this zend 1 application, when I go to start page, I can see that there is a cookie named PHPSESSID.
I then log in (a custom login) and the user can go through protected pages.
But if he is inactive for more than 30 minutes, when then requesting a protected page the application will redirect him to login page.
What I was focusin on was the PHPSESSID. Which initially was set to 30 minutes. I increased that by adding "28800" to what seems to be a global call to setcookie.
When I then reloaded the page, I could see that PHPSESSID would expire after 8 hours.
Despite this, the use is still being logged out after 30 minutes.
So changing cookie expiration didn't gave anything.
What's next? Changing the php session duration?
Current relevant values are:
session.cache_expire: 180
session.gc_divisor: 1000
session.entropy_length:32
session.gc_maxlifetime: 14400
session.gc_probability:1
session.name: PHPSESSID
Or is this related to the framework itself? Somewhere in Zend to adjust the expiration of the session?
If you are using zend then try this.
$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
$authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());
$authns->setExpirationSeconds(60 * 30); //expire auth storage after 30 min
}
If you have multiple php site storing session files in the same dir - php gc processes may have different set for session. In this case store session files in another, only for you site, directory.

Keep the session alive even if the browser closed [duplicate]

Could anyone tell how to maintain a session (in PHP) so that the session contains are preserved and are accessible even after the browser is restarted.
In general a session expires with the closing of a browser, but I want the session NOT TO BE CLOSED so that the session data's can be accessed the next time the browser is used.
Use session_set_cookie_parameters() to give the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.
It's oxymoron.
Session stands for "until browser is closed".
Session is something that expires.
If you don't want it to be expired, you're probably don't want a session at all.
You are probably messing session with cookie or database.
Session in php (and in most web technologies) work like this :
You store a session id in a cookie on the client computer.
When the client come to your site he send you the session id.
The server find the session datas in a file with the session id and load it.
So closing the browser has not effect on the session, but if the browser empty the cookie when you close it (I don't think any browser do such a thing).
If you wana be sure the user is always logged in, you can store it's user/password in his cookies but it's not really safe.
The easiest and best i have found is that instead of just session_start we should input this on each page there is a session
$expire = 365*24*3600; // We choose a one year duration
ini_set('session.gc_maxlifetime', $expire);
session_start(); //We start the session
setcookie(session_name(),session_id(),time()+$expire);
//Set a session cookies to the one year duration
You can do something like this: (see session_set_cookie_parameters() and session_name())
// long long time
$sessionTime = 365 * 24 * 60 * 60;
$sessionName = "my_session";
session_set_cookie_params($sessionTime);
session_name($sessionName);
session_start();
if (isset($_COOKIE[$sessionName])) {
setcookie($sessionName, $_COOKIE[$sessionName], time() + $sessionTime, "/");
}
For $sessionTime, also refer to this question
This can be done if you use cookies instead of sessions.

Session timeout issue in php

I have set session timeout time for 20 Minutes as below.Sometime the session timeout is happening in two or three minutes.
ini_set('session.gc_maxlifetime', 1200);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
What could be the issue?
The 20 minute expiration does not reset when the user browses other pages. The problem is explained in this comment:
As PHP's Session Control does not handle session lifetimes correctly
when using session_set_cookie_params(), we need to do something in
order to change the session expiry time every time the user visits our
site. So, here's the problem.
$lifetime=600;
session_set_cookie_params($lifetime);
session_start();
This code doesn't change the lifetime of the session when the user
gets back at our site or refreshes the page. The session WILL expire
after $lifetime seconds, no matter how many times the user requests
the page. So we just overwrite the session cookie as follows:
$lifetime=600;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
And now we have the same session cookie with the lifetime set to the
proper value.
Better, leave the session.cookie_lifetime to 0 so that the cookie expires when the browser is closed. Otherwise, users who assume that closing the browser will end their session will be surprised when they re-open their browser before the 20 minute timeout.
Edit regarding gc_xxxx settings
gc_probability = 1, gc_divisor = 1, gc_maxlifetime = 1200
1/1 implies PHP will check the date of session files for every session_start call.
gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200
1/100 means PHP will check the date of session files randomly but approximately once per 100 session_start calls.
The date check itself consist of comparing session file's accessed time with gc_maxlifetime; it deletes the file if wasn't accessed in the past (e.g.) 20 minutes.
Having said that, if the cookie expires because of timeout (or closing of browser when timeout was 0) the session expires immediately since the browser stops sending the expired session id cookie; in which case PHP issues a new session id cookie. The session id file associated with the expired cookie becomes abandoned, does not get accessed anymore; therefore garbage collected anytime as described above.
Last, your specific issue can be resolved (i) by looking at the expiry date of session id cookie (ii) and remembering that cookies with timeout are not renewed when page is visited/refreshed.

What is the default session expiration time in PHP?

I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.

Categories