My first question in stackoverflow. Thanks in advance!
I am so confused about the PHP session mechanism. I have understand the session.gc_maxlifetime by PHP - ini_set('session.gc_maxlifetime', 5) - Why it doesn't end the session?. But I still don't know the difference between session.gc_maxlifetime and session.cookie_lifetime.
Question:
What will happened if the time of session.cookie_lifetime is out? Will the session cookie be deleted from the client computer directly?
I need to figure this question, then continue to ask something further.
session.gc_maxlifetime is the time in seconds after which your session data could be considered as garbage data. In other words, you can say that it is the time an unused PHP session will be kept alive.
session.cookie_lifetime is the life time in seconds of session cookies whether the session is alive or not. So the cookies will stay alive until the given time is elapsed
See:
http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
https://blogs.oracle.com/oswald/entry/php_session_gc_maxlifetime_vs
The cookie lifetime is transmitted to the client. If the cookie has reched its lifetime, the client usually deletes it. So it is client-side. Also the a session can be alive even after the cookie is gone, since you can create the same cookie again, epand its lifetime, or transmit the session-id via the uri.
Hope that helps!
Related
Can anyone please tell me the exact difference between these two:
session_set_cookie_params(seconds)
ini_set("session.cookie_lifetime", seconds)
I have read at several places that to increase PHP session timeout, we need to do following setting in our script:
ini_set("session.gc_maxlifetime", seconds);
Additionally, we also need to tell client to remember session id for specific time. So I am not sure that which one to use - 1 or 2 (above).
session_set_cookie_params(seconds) and ini_set("session.cookie_lifetime", seconds) both set the lifetime of a session cookie, which determines how long the cookie, and therefore the session, will remain valid on the client's browser.
session_set_cookie_params(seconds) sets the lifetime of the cookie for the current session, whereas ini_set("session.cookie_lifetime", seconds) sets the lifetime of the cookie for all future sessions.
ini_set("session.gc_maxlifetime", seconds); is used to set the maximum lifetime of a session. This setting determines how long a session can remain inactive before it is garbage collected by PHP. This setting is important, because if the user's cookie lifetime is longer than the session's lifetime, the user will be able to access the session even if the session data has been removed by the garbage collector.
In general, you should use both session_set_cookie_params(seconds) and ini_set("session.gc_maxlifetime", seconds); to increase the PHP session timeout. The first sets the cookie lifetime for the current session, and the second sets the maximum lifetime for all future sessions. This way you are instructing the client to remember the session id for a specific time and also you are making sure that the session data is not garbage collected before the cookie expires.
I'm wondering how long php sessions are stored in server memory.What if user logs in (sets session variables in server) and he keeps his browser open for a long time suppose 30 days and he reloads the page on the 31st day? Can browser access session variables(browser still has session cookie)?
Default php.ini sets the session expiration time to 30 minutes.
Check out these settings: session.gc_maxlifetime and session.cookie_lifetime
As long as the browser have the cookie stored, it doesn't matter if it is closed or is open.
If you want to store the session for lets say 30 days, you can add:
ini_set('session.gc_maxlifetime', 30*24*60*60);
ini_set('session.cookie_lifetime', 30*24*60*60);
Normally you would code as part of your session handling code a function for expiring sessions after some time has elapsed, so in that case it would't matter how long they left there browser open
I think this depends on what you have set in php.ini http://php.net/manual/en/function.session-set-cookie-params.php
Basically, a php session won't expire while a user is surfing on a website. But "while the user is surfing on the website" means that there are get and post requests. Nevertheless, i can't figure out if there has to be new requests, or if one active request is enough to maintain the session…
For instantce, i have a big file upload by post. It could then take hours. Will the session expire or not ?
The lifetime of a session depends on the ini setting session.gc-maxlifetime. Every access to the session (read and write) resets the timer. After the timeout, when the session garbage collector runs, the session values are destroyed.
The default value is 1440, which means 24 minutes. So if you have hits that access the session in any way at least every 24 minutes, the session values will stay.
If you need the session to stay alive longer than that, you can extend the timeout with ini_set (use before session_start()), for example:
ini_set('session.gc_maxlifetime', 24*60*60); // 24 hours
It shouldn't. Usually when I work with $_SESSION's, they last for a day or so. But it might on some servers. In that case you need to add cookies, too. With cookies you can exactly manipulate the time the person can be online for.
Is session_start() supposed to extend the life of the session ID cookie by the session.gc_maxlifetime variable?
My session.gc_maxlifetime is 24 minutes, and each session is only living 24 minutes regardless of additional activity on the site. I get my session, refresh the page, and the expiration time does not change. This results in a logout after 24 minutes of login, no matter what. Is there something wrong with my configuration?
I had problem with this too. I was thinking that each
session_set_cookie_params($sessionTime, '/', $domain);
session_start();
causes that expiration time for cookie PHPSESSID is extended. But really cookie PHPSESSID is set by session_start() only first time in session when new session id is generated.
My goal was that session expiration time should regenerate each time a page was opened. I figured out that session can expire because of two reasons:
Cookie PHPSESSID expires, and its expiration time isn't regenerated by session_start(), so session will always expire because of cookie with expiration time.
No activity of user will cause that session will expire on server side. It is set by ini_set('session.gc_maxlifetime', $sessionTime).
Solution in this case is when you won't set expiration time for cookie, but session.gc_maxlifetime is still set:
function my_session_start($maxtime = 300)
{
ini_set('session.gc_maxlifetime', $maxtime);
session_set_cookie_params(0, '/', "." . $domain);
session_start();
}
Most important is 0 in session_set_cookie_params(0, '/', "." . $domain) then cookie won't expire and there is no need to extend its expiration time. This cookie will be removed when browser is closed. Then we are limited only by time which expires on server side.
I had also problems with that I couldn't extend PHP session time by jQuery Ajax PINGs because of that I had set expiration time for PHPSESSID in cookie. 0 resolves all problems with not expected ends of sessions. Sorry for my English. Good luck.
I've noticed this behavior in PHP and tried every configuration on PHP but no luck so far.
My sessions were dying on exact time from first session_start(), lookig at cookie lifetime, it was not renewing its expiry time.
My application already has an important client count, about 60 connections per second, so the GC was hit every 1.5s (i guess).
My solution for cookie time not extending was something like this (It may seem not to elegant, but worked for me).
function my_session_start($maxtime = 300){
// $maxtime = 300 for 5 minutes
session_start( [ 'gc_maxlifetime' => $maxtime ] );
$_sess_name = session_name();
$_sess_id = session_id();
setcookie( $_sess_name, $_sess_id, time() + $maxtime, '/' );
}
It's my particular solution, as the question says "session ID cookie". May not be the optimal, but indeed it works for me!
I think this post will provide the solution you are looking for: Session timeouts in PHP: best practices
Basically, when session_start() is called, there is a 1% probability (by default) that the garbage collector will be run. When the garbage collector is run it scans for and deletes expired sessions. However, when you are the only user accessing the page (which you probably are, during development) or there are very few users, the garbage collector will only run when you access a page. This happens AFTER session_start() is called, effectively resetting the timer. Instead of trying to work around this, just implement your own session_start() function which enforces the timeout. Try the function that the #Glass Robot posted, in the link I gave you above.
My application uses some session variables that are timing out even though I thought they would not because I've got the following setting in php.ini:
session.cookie_lifetime = 0
The other session settings in php.ini are pretty much set as their defaults. How do I make sure the session variables stay around until the browser window closes?
I think you set the session timeout with session.gc_maxlifetime which defaults to 1440 seconds - 24 minutes
Note that since PHP 4.2.3 the life time is calculated on the base of the modification date and not the access date (see session.gc_maxlifetime). So you have to update the session data on every request to “reset the timer”.