I already altered my php.ini in Apache to have these settings:
session.gc_maxlifetime = 1440
session.cache_expire = 1500
But my sessions are not that long. The problem is that I am not certain which settings would "do the trick"
Ideally I am looking for the right configuration to have the session last 12 hours. Could anyone help me with that?
do you also have set session.cookie_lifetime = 0 ?
and maybe somewhere in your scripts or some included scripts the session lifetime is set to another value?
The default "0" value means that the cookie stays alive until the browser is closed. This is also the default value, if not set in php.ini.
Source: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
session.gc_maxlifetime is measured in seconds, so your setting of 1440 will expire after 24 minutes. (see: http://php.net/session.gc-maxlifetime)
For 12 hour session I believe you need:
session.gc_maxlifetime = 43200
session.cache_expire = 720
session.cookie_lifetime = 0
Have a look at:
session.cookie_lifetime x
Where x is the lifetime in seconds
Also, if you are on a shared host, make sure the session data under /tmp is not removed by the host with some sort of clean script. Some hosts clear /tmp every 10 minutes.
Related
Findings :
I have done some research on PHP Session and came accross the session.gc_maxlifetime value of 1440 seconds.
I've read on php.net that the maximum value of session.gc_maxlifetime is 65535.
Questions :
Is it possible to set my maxlifetime to more than 65535 seconds?
Why is the session value 1440?
What happens if we increase the session maxlifetime to more than 65535 seconds. the server configuration doesn't support this?
I have added the following lines in my htaccess file :
php_value session.cookie_lifetime 14400
php_value session.gc_maxlifetime 14400
Also have added a php.ini file in the root directory with the following code :
session.gc_maxlifetime = 14400
session.cookie_lifetime = 14400
Also inside the php code have added the following lines :
ini_set('session.cookie_lifetime',14400);
ini_set('session.gc_maxlifetime',14400);
setcookie("_lid", $lid, time() + 14400);
So basically the session should work for 4 hours. But it is getting timed out in about 24 mins or so which is the default timeout time in php.
I may be missing something. Would be great if someone can provide some inputs.
Thanks
I was having the exact same problem - the session.gc_maxlifetime & session.cookie_lifetime values were set but appeared to not be honoured... Then, I found a comment on an old thread which clearly needs a lot more recognition:
How do I expire a PHP session after 30 minutes?
Please note that at least two settings are crucial to setting the
session time, and maybe three. The two certainly crucial ones are
session.gc_maxlifetime and session.cookie_lifetime (where 0 is not the
same as some long number). For complete, 100% certainty of allowing
long times, it may also be necessary to set the session.save_path, due
to varying OS-controled cleanup time on the /tmp directory where
session files get stored by default. – #Kzqai Apr 7 '11 at 8:04
Last night I logged in and the following morning I was still logged in, even if I quit my browser. I want the session to expire after a few hours and I thought that it would work with "session.gc_maxlifetime" set to "1440" and "session.cache_expire" set to "180"
Here is what I could find from PHP.ini
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx
session.auto_start Off
session.bug_compat_42 Off
session.bug_compat_warn Off
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_httponly Off
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure Off
session.entropy_file no value
session.entropy_length 0
session.gc_divisor 1000
session.gc_maxlifetime 1440
session.gc_probability 0
session.hash_bits_per_character 5
session.hash_function 0
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /var/lib/php5
session.serialize_handler php
session.use_cookies On
session.use_only_cookies On
session.use_trans_sid 0
On our old server we used the same settings and the sessions worked.
The only difference from the old one is the "session.save_handler" that is set to "memcache" on the old server. Also "session.save_path" is different.
Relying on other things and hope them to work is not my thing. :D I think that the best solution would be to implement a session timeout on your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Updating the session data with every request does also change the session file’s modification date so that the session is not removed by the garbage collector prematurely.
~Foorack
It may help to change gc_probablity to something other than 0.
From the manual for gc_divisor:
session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.
If I'm reading from this right, with gc_probability being 0, the garbage collector is never run, rendering gc_maxlifetime useless.
GC is an expensive process for file-based sessions, so it's not a good idea to run it on every request, [edit: so PHP has a built in randomization to run it periodically]
Addendum:
For anything with real security implications, it's likely better to handle invalidating the session in your script, as Max's answer suggests. Also session.cache_expire sets the default expiration for session pages that are sent to the browser, and doesn't affect session storage at all.
Given you've reset gc_maxlifetime, a couple of things i can think of left to check when this happens:
PHP needs a restart
session is recreated/regenerated somewhere
I can't figure out why my PHP sessions are timing out after 24 minutes even after I set session.gc_maxlifetime to a very high amount.
I specifically went into my /tmp folder to look at the session data files being created. Just as you would expect with PHP's garbage collecting, every so often the older files would be deleted. Every time, it seemed to be the files that were > 24 minutes old. This seems strange because the default of session.gc_maxlifetime is 1440 seconds (24 minutes). But I changed that variable, and nothing else in php.ini is set to 1440. What could possibly be causing this?
I can't understand...
If you don't want to have files older than 24 minute, then you don't need to change anything.
Otherwise, just extend the 1440 value to the one you need and restart Apache.
Which value did you assign to the session.gc_maxlifetime?
If I hit a page which calls session_start(), how long would I have to wait before I get a new session ID when I refresh the page?
Check out php.ini the value set for session.gc_maxlifetime is the ID lifetime in seconds.
I believe the default is 1440 seconds (24 mins)
http://www.php.net/manual/en/session.configuration.php
Edit: As some comments point out, the above is not entirely accurate. A wonderful explanation of why, and how to implement session lifetimes is available here:
How do I expire a PHP session after 30 minutes?
The default in the php.ini for the session.gc_maxlifetime directive (the "gc" is for garbage collection) is 1440 seconds or 24 minutes. See the Session Runtime Configuation page in the manual:
http://www.php.net/manual/en/session.configuration.php
You can change this constant in the php.ini or .httpd.conf files if you have access to them, or in the local .htaccess file on your web site. To set the timeout to one hour using the .htaccess method, add this line to the .htaccess file in the root directory of the site:
php_value session.gc_maxlifetime "3600"
Be careful if you are on a shared host or if you host more than one site where you have not changed the default. The default session location is the /tmp directory, and the garbage collection routine will run every 24 minutes for these other sites (and wipe out your sessions in the process, regardless of how long they should be kept). See the note on the manual page or this site for a better explanation.
The answer to this is to move your sessions to another directory using session.save_path. This also helps prevent bad guys from hijacking your visitors' sessions from the default /tmp directory.
it depends on your php settings...
use phpinfo() and take a look at the session chapter. There are values like session.gc_maxlifetime and session.cache_expire and session.cookie_lifetime which affects the sessions lifetime
EDIT:
it's like Martin write before
According to a user on PHP.net site, his efforts to keep session alive failed, so he had to make a workaround.
<?php
$Lifetime = 3600;
$separator = (strstr(strtoupper(substr(PHP_OS, 0, 3)), "WIN")) ? "\\" : "/";
$DirectoryPath = dirname(__FILE__) . "{$separator}SessionData";
//in Wamp for Windows the result for $DirectoryPath
//would be C:\wamp\www\your_site\SessionData
is_dir($DirectoryPath) or mkdir($DirectoryPath, 0777);
if (ini_get("session.use_trans_sid") == true) {
ini_set("url_rewriter.tags", "");
ini_set("session.use_trans_sid", false);
}
ini_set("session.gc_maxlifetime", $Lifetime);
ini_set("session.gc_divisor", "1");
ini_set("session.gc_probability", "1");
ini_set("session.cookie_lifetime", "0");
ini_set("session.save_path", $DirectoryPath);
session_start();
?>
In SessionData folder it will be stored text files for holding session information, each file would be have a name similar to "sess_a_big_hash_here".
You can use something like ini_set('session.gc_maxlifetime', 28800); // 8 * 60 * 60 too.
But watch out, on most xampp/ampp/...-setups and some linux destributions it's 0, which means the file will never get deleted until you do it within your script (or dirty via shell)
PHP.INI:
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
; http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0