PHP Sessions Not Extending Cookie Expiration on Each Request - php

Is session_start() supposed to extend the life of the session ID cookie by the session.gc_maxlifetime variable?
My session.gc_maxlifetime is 24 minutes, and each session is only living 24 minutes regardless of additional activity on the site. I get my session, refresh the page, and the expiration time does not change. This results in a logout after 24 minutes of login, no matter what. Is there something wrong with my configuration?

I had problem with this too. I was thinking that each
session_set_cookie_params($sessionTime, '/', $domain);
session_start();
causes that expiration time for cookie PHPSESSID is extended. But really cookie PHPSESSID is set by session_start() only first time in session when new session id is generated.
My goal was that session expiration time should regenerate each time a page was opened. I figured out that session can expire because of two reasons:
Cookie PHPSESSID expires, and its expiration time isn't regenerated by session_start(), so session will always expire because of cookie with expiration time.
No activity of user will cause that session will expire on server side. It is set by ini_set('session.gc_maxlifetime', $sessionTime).
Solution in this case is when you won't set expiration time for cookie, but session.gc_maxlifetime is still set:
function my_session_start($maxtime = 300)
{
ini_set('session.gc_maxlifetime', $maxtime);
session_set_cookie_params(0, '/', "." . $domain);
session_start();
}
Most important is 0 in session_set_cookie_params(0, '/', "." . $domain) then cookie won't expire and there is no need to extend its expiration time. This cookie will be removed when browser is closed. Then we are limited only by time which expires on server side.
I had also problems with that I couldn't extend PHP session time by jQuery Ajax PINGs because of that I had set expiration time for PHPSESSID in cookie. 0 resolves all problems with not expected ends of sessions. Sorry for my English. Good luck.

I've noticed this behavior in PHP and tried every configuration on PHP but no luck so far.
My sessions were dying on exact time from first session_start(), lookig at cookie lifetime, it was not renewing its expiry time.
My application already has an important client count, about 60 connections per second, so the GC was hit every 1.5s (i guess).
My solution for cookie time not extending was something like this (It may seem not to elegant, but worked for me).
function my_session_start($maxtime = 300){
// $maxtime = 300 for 5 minutes
session_start( [ 'gc_maxlifetime' => $maxtime ] );
$_sess_name = session_name();
$_sess_id = session_id();
setcookie( $_sess_name, $_sess_id, time() + $maxtime, '/' );
}
It's my particular solution, as the question says "session ID cookie". May not be the optimal, but indeed it works for me!

I think this post will provide the solution you are looking for: Session timeouts in PHP: best practices
Basically, when session_start() is called, there is a 1% probability (by default) that the garbage collector will be run. When the garbage collector is run it scans for and deletes expired sessions. However, when you are the only user accessing the page (which you probably are, during development) or there are very few users, the garbage collector will only run when you access a page. This happens AFTER session_start() is called, effectively resetting the timer. Instead of trying to work around this, just implement your own session_start() function which enforces the timeout. Try the function that the #Glass Robot posted, in the link I gave you above.

Related

Keep PHP session alive until an hour of "inactivity" has passed

I have read several articles on this topic but still don't fully understand the relationship between the client-side session cookie, the server-side session file, and the way PHP "randomly" chooses to remove or keep a session during garbage collection.
The behavior I am trying to ensure is:
a user logs in, and the session begins
if the user is inactive* for a period of 1 hour, the session is
destroyed
*this is critical for my site because the user may be spending an hour apparently "idle" on the same page, but in fact they are not idle. They may be composing a long written report, watching a video, etc.
What I'm using so far is:
session_start();
setcookie(session_name(),session_id(),time()+3600);
This code is executed on every page load.
I also have an AJAX request firing every minute via a setInterval, which loads a PHP script containing the above code on pages where the user is apparently "idle".
Will my approach ensure the behavior I require? Or am I missing something? Perhaps there is a cleaner way to ensure this behavior.
Many thanks in advance.
you could try something like this:
if (isset($_SESSION['LAST_ACTIVITY'])&&(time() - $_SESSION['LAST_ACTIVITY'] > 3600)) {
// this takes 60 minutes
session_unset();
session_destroy(); // destroy session data that is in storage
}
I ... still don't fully understand the relationship between the client-side session cookie, the server-side session file, and the way PHP "randomly" chooses to remove or keep a session during garbage collection.
The client-side cookie does not hold any info about the user. It's only a token, which is sent to the server with any other info with every new request. The expiration limit you are setting indicates how long the client-side cookie is valid.
Server-side session files and garbage collection is something else. In php.ini you may set session.gc_maxlifetime, defaulting to 1440, which indicates "the number of seconds after which data will be seen as 'garbage' and potentially cleaned up". And then there is session.gc_probability (defaulting to 1) and session.gc_divisor (defaulting to 100).
This means, that after 1440 seconds there is a 1/100 the garbage collector will start, cleaning the session, which now is considered garbage.
If you wish to remove the session after an hour with a 100% probability, set session.gc_probability to 0 and remove the old sessions manually. For this, you could save "last activity" in your database and cron a script, which removes sessions, which have "last activity" and time() difference larger, than 1 hour.

How long php sessions are stored in server?

I'm wondering how long php sessions are stored in server memory.What if user logs in (sets session variables in server) and he keeps his browser open for a long time suppose 30 days and he reloads the page on the 31st day? Can browser access session variables(browser still has session cookie)?
Default php.ini sets the session expiration time to 30 minutes.
Check out these settings: session.gc_maxlifetime and session.cookie_lifetime
As long as the browser have the cookie stored, it doesn't matter if it is closed or is open.
If you want to store the session for lets say 30 days, you can add:
ini_set('session.gc_maxlifetime', 30*24*60*60);
ini_set('session.cookie_lifetime', 30*24*60*60);
Normally you would code as part of your session handling code a function for expiring sessions after some time has elapsed, so in that case it would't matter how long they left there browser open
I think this depends on what you have set in php.ini http://php.net/manual/en/function.session-set-cookie-params.php

Session destroy on browser close

I have heard many times that a session get destroy as our browser close.
Then how I keep logged in after closing and reopening my browser.
Please help
You keep login because your sessions are not destroyed even when the browser is closed. Sessions destroying on the closing of the browser is default behaviour but but this does not mean its the only behaviour. You can extend the expiry time of session.
This behaviour can be changed in the php.ini file by altering the line:
Keeping a session alive indefinitely
session.cookie_lifetime = 0
So just check when you have set the expiry time for the sessions. Although using cookies will be a good option
Note:- Remember to restart your web server after making this change.
You have to use Cookies.
You can use the setcookie() function and read the value with the $_COOKIE['cookiename'] variable.
Use cookies, with a predefined expire time, I like 1 year
You can use cookies. Cookies are data that is stored directly on the HDD so that even if the browser was closed, cookies still can be read if it haven't expired yet.
Here is an example of setting up a cookie.
Paste this code BEFORE the tag.
<?php setcookie("$name", "$value", $time); ?>
Where $name is the cookie name, $value is the cookie value and $time is the time when your cookie will be expired. For example $time = time()+86400; will set your cookie to expire after 1 day. The 86400 value is the number of seconds in a day, 60seconds times 60minutes times 24hours, so 60x60x24 = 86400.

can php session expire while sending a post ?

Basically, a php session won't expire while a user is surfing on a website. But "while the user is surfing on the website" means that there are get and post requests. Nevertheless, i can't figure out if there has to be new requests, or if one active request is enough to maintain the session…
For instantce, i have a big file upload by post. It could then take hours. Will the session expire or not ?
The lifetime of a session depends on the ini setting session.gc-maxlifetime. Every access to the session (read and write) resets the timer. After the timeout, when the session garbage collector runs, the session values are destroyed.
The default value is 1440, which means 24 minutes. So if you have hits that access the session in any way at least every 24 minutes, the session values will stay.
If you need the session to stay alive longer than that, you can extend the timeout with ini_set (use before session_start()), for example:
ini_set('session.gc_maxlifetime', 24*60*60); // 24 hours
It shouldn't. Usually when I work with $_SESSION's, they last for a day or so. But it might on some servers. In that case you need to add cookies, too. With cookies you can exactly manipulate the time the person can be online for.

The question between session.gc_maxlifetime and session.cookie_lifetime

My first question in stackoverflow. Thanks in advance!
I am so confused about the PHP session mechanism. I have understand the session.gc_maxlifetime by PHP - ini_set('session.gc_maxlifetime', 5) - Why it doesn't end the session?. But I still don't know the difference between session.gc_maxlifetime and session.cookie_lifetime.
Question:
What will happened if the time of session.cookie_lifetime is out? Will the session cookie be deleted from the client computer directly?
I need to figure this question, then continue to ask something further.
session.gc_maxlifetime is the time in seconds after which your session data could be considered as garbage data. In other words, you can say that it is the time an unused PHP session will be kept alive.
session.cookie_lifetime is the life time in seconds of session cookies whether the session is alive or not. So the cookies will stay alive until the given time is elapsed
See:
http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
https://blogs.oracle.com/oswald/entry/php_session_gc_maxlifetime_vs
The cookie lifetime is transmitted to the client. If the cookie has reched its lifetime, the client usually deletes it. So it is client-side. Also the a session can be alive even after the cookie is gone, since you can create the same cookie again, epand its lifetime, or transmit the session-id via the uri.
Hope that helps!

Categories