Change the expiry time of PHPSESSID Cookie - php

I have been at this for a day now, but nothing seems to be working.
What I want to do: change the expiry time of the session cookie PHPSESSID, when a particular checkbox is checked , how do I do this ?
I have tried:
ini_set()
session_set_cookie_params()
setcookie()
but nothing works . Can someone please please help me here ?
Thanks

To specify the session lifetime, server side, either apply the following command
ini_set('session.gc_maxlifetime', 30*60); // expires in 30 minutes
or set it in your php.ini file.
To set the session cookie lifetime, client side, either let it as it is (0, will die when the browser is closed), or
ini_set('session.cookie_lifetime', 30*60); // 30 minutes
or in the php.ini.
If you choose to use ini_set(), be sure to place the commands before session_start() is called.
Note that the ini_set function sets configuration option(s) during the script execution time only.
Regarding the checkbox and having a dynamic setting of the session lifetime, you could
use APC to store a setting shared by all PHP processes, that will last until the PHP server is down
write a value in a file somewhere that you load at the start of scripts (expensive) and set the value
(each script will have to ini_set() once before session_start())

Related

what is the default session time in PHP and how can I change it?

I try to change the session timeout in php so how it's possible.
and What is the default session timeout value in PHP?
I work on my XAMP localhost for development everyday.
I feel annoyed by phpmyadmin auto log out out quickly. Is there any way I change the session timeout?
Where can I set this timeout value?
Yes you can change it from php.ini file. The default is 24 minutes (1440 seconds).
Here is an link hope this link helps you.
max session time
Or you can also chage it in php connection file.
ini_set('session.gc_maxlifetime', 3600); //Make it one hour

Session Lifetime on PhpMyAdmin

I have tried multiple way to extend this, so as to not have to log in every 1440 seconds on a development server. Yet the problem still persists.
Could anybody advise on the "correct" way to achieve this? I want to set to cookie session timeout to 3600 (1 hour) instead of the default 1440.
I have tried:
Set: 'session.gc_maxlifetime' within my php.ini file
Gone onto phpmyadmin under Settings => Features => General => Login cookie validity and set this to be the timing I want.
Gone into config.ini.php in the phpmyadmin files and set: '$cfg['LoginCookieValidity']' to the required time.
Each attempt I have made sure to restart apache so as to load the new configuration. However the problem still persists.
Any help/advise will be much appreciated.
You have to edit phpmyadmin's configuration file (config.inc.php) and set the variable $cfg['LoginCookieValidity'] = 3600, I've put it at the end of the file.
Next, you have to increase the php session timeout if it is lower than 3600 seconds, to do that you have to set session.gc_maxlifetime in the php.ini file.
After that you have to restart apache.
I have done it so and it works on Ubuntu 14.04.
First you need to verified that is ini_set allowed on your system or not?
To find out what the default (file-based-sessions) session timeout value on the server is you can view it through a ini_get command:
$currentTimeoutInSecs = ini_get(’session.gc_maxlifetime’);
// php.ini setting required for session timeout.
ini_set(’session.gc_maxlifetime’, 3600);
ini_set(‘session.gc_probability’,1);
ini_set(‘session.gc_divisor’,1);
session_set_cookie_params(3600);
session_start(); // ready to go!
if you want to change the session.cookie_lifetime.
This required in some common file because to get the session values in whole application we need to write session_start(); to each file then only will get $_SESSION global variable values.
$sessionCookieExpireTime=8*60*60;
session_set_cookie_params($sessionCookieExpireTime);
session_start();

How does PHP detect that a session has timed out?

I'm wondering how PHP detects that a specific session has timed out.
In detail: I'm using the default (file based) session handler, with a default session lifetime and so on. Everything in php.ini is on default.
If now a session is started, PHP does a check (depending non session.gc_divisor and session.gc_probability) if there are any timed out sessions. But from where does get PHP the last session access time from the sessions to check against?
The session file itself contains only the workload, e.g. x|i:1; for a $_SESSION['x'] = 1;, so there is no information about the last session access time.
I think that there are no in-memory information related to session start times as the sessions are still working after a full server restart.
So, where does PHP get the information from? Is it comparing the mtime/ctime of the session file?
PHP's default session handler stores the $_SESSION data in a file using serialize(), in the directory specified by session.save_path. Generally the filename looks something like $filename = 'sess_' . session_id().
Since it's just a file, PHP can use the file's mtime (time of last modification) to determine which session files are stale. Basically it'll grab all the session files whose mtime exceeds the session.gc_maxlifetime value and unlink() them. As you've said, the probability of the cleanup occuring is governed by the session.gc_* ini variables.
Now, if you create your own session handlers with session_set_save_handler(), this is all out the window, and you've now got control over how sessions are stored and cleaned up, but this does explain the default behavior.

php session timeout

I have some issues concerning the timeout of a php session. I have set the following values during runtime of the application:
session.gc_maxlifetime = 3600
session.cookie_lifetime = 3600
session.save_path = myApplicationPath/tmp
session.use_cookies = 1
session.use_only_cookies = 1
However, my session keeps expiring in about 30 mins. Also, my tmp directory remains empty, so it appears no cookies are actually being set. echoing ini_get("session.save_path") does return the right path though.
Note:
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.
PHP Manual
I'd say that PHP cannot find your save_path or does not have permission to write on that, so it stores session files (not cookies) in the default shared directory (so the site with shortest gc_maxlifetime will remove sessions from all other sites).

What is the default lifetime of a session?

If I hit a page which calls session_start(), how long would I have to wait before I get a new session ID when I refresh the page?
Check out php.ini the value set for session.gc_maxlifetime is the ID lifetime in seconds.
I believe the default is 1440 seconds (24 mins)
http://www.php.net/manual/en/session.configuration.php
Edit: As some comments point out, the above is not entirely accurate. A wonderful explanation of why, and how to implement session lifetimes is available here:
How do I expire a PHP session after 30 minutes?
The default in the php.ini for the session.gc_maxlifetime directive (the "gc" is for garbage collection) is 1440 seconds or 24 minutes. See the Session Runtime Configuation page in the manual:
http://www.php.net/manual/en/session.configuration.php
You can change this constant in the php.ini or .httpd.conf files if you have access to them, or in the local .htaccess file on your web site. To set the timeout to one hour using the .htaccess method, add this line to the .htaccess file in the root directory of the site:
php_value session.gc_maxlifetime "3600"
Be careful if you are on a shared host or if you host more than one site where you have not changed the default. The default session location is the /tmp directory, and the garbage collection routine will run every 24 minutes for these other sites (and wipe out your sessions in the process, regardless of how long they should be kept). See the note on the manual page or this site for a better explanation.
The answer to this is to move your sessions to another directory using session.save_path. This also helps prevent bad guys from hijacking your visitors' sessions from the default /tmp directory.
it depends on your php settings...
use phpinfo() and take a look at the session chapter. There are values like session.gc_maxlifetime and session.cache_expire and session.cookie_lifetime which affects the sessions lifetime
EDIT:
it's like Martin write before
According to a user on PHP.net site, his efforts to keep session alive failed, so he had to make a workaround.
<?php
$Lifetime = 3600;
$separator = (strstr(strtoupper(substr(PHP_OS, 0, 3)), "WIN")) ? "\\" : "/";
$DirectoryPath = dirname(__FILE__) . "{$separator}SessionData";
//in Wamp for Windows the result for $DirectoryPath
//would be C:\wamp\www\your_site\SessionData
is_dir($DirectoryPath) or mkdir($DirectoryPath, 0777);
if (ini_get("session.use_trans_sid") == true) {
ini_set("url_rewriter.tags", "");
ini_set("session.use_trans_sid", false);
}
ini_set("session.gc_maxlifetime", $Lifetime);
ini_set("session.gc_divisor", "1");
ini_set("session.gc_probability", "1");
ini_set("session.cookie_lifetime", "0");
ini_set("session.save_path", $DirectoryPath);
session_start();
?>
In SessionData folder it will be stored text files for holding session information, each file would be have a name similar to "sess_a_big_hash_here".
You can use something like ini_set('session.gc_maxlifetime', 28800); // 8 * 60 * 60 too.
But watch out, on most xampp/ampp/...-setups and some linux destributions it's 0, which means the file will never get deleted until you do it within your script (or dirty via shell)
PHP.INI:
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
; http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0

Categories