Anybody can help on how to increase session expiry in php through htaccess?
So far I got this:
php_value session.cookie_lifetime 14400
php_value session.gc_maxlifetime 14400
php_value session.gc_probability 1
php_value session.gc_divisor 1
If I'm not mistaken, the life time of the cookie will be of 4 hours. What I'm trying to do is to increase the idle time of the session only, not the session cookie. Right now, after 4 hours I get kick out from my app. Can someone help me on how to o this?
Thanks
The lifetime of the session is bound to cookie_lifetime and gc_maxlifetime, which are respectively the lifetime of the cookie and the lifetime of data into your session. That being said, a session can't survive without a cookie so cookie_lifetime as to be greater or equal to gc_maxlifetime; otherwise, no garbage collection of your data will be done and cookie will expire before any data can possibly expire.
Related
I'm trying to increase my session variable time but they always end up expiring in the default time.
In the image you can see that session.gc_maxlifetime changes in the local value but does not change in master value.
What should I do so that session.gc_maxlifetime lasts longer so that session variables are not precosily deleted?
Try also changing session.cookie_lifetime duration
gc_maxlifetime is already set to 24 minutes, but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours). The app is expired based on gc_maxlifetime not sess_expiration. Why is that? How can the sess_expiration work if it is longer than gc_maxlifetime?
Reading from here: why ini_set('session.gc_maxlifetime',60) doesn't work? and here: https://www.dev-metal.com/how-the-php-session-garbage-collector-really-works/
Because garbage collector starts (if starts) before session
I think that the gc_maxlifetime fires before your CI session handler and for this it 'wins'.
For not being forced to modify your php.ini file, you could try to set it before each session_start:
ini_set("session.cookie_lifetime","7200");
ini_set("session.gc_maxlifetime","7200");
session_start();
Or in your .htaccess file:
php_value session.gc_maxlifetime 7200
php_value session.cookie_lifetime 7200
You could read more here: Codeigniter increase session time out not working
Hope it helps!
Not really as simple as you've put it ...
It is true that gc_maxlifetime is what determines if a session should be deleted or not, because that's effectively the "server-side timer" that counts towards the deletion of a session - there's one on the client side as well, because that's where cookies are stored.
However, CodeIgniter will set gc_maxlifetime to the same value that you put in sess_expiration, unless it is 0 (in which case it uses your php.ini value).
But something else in your question may be important:
but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours)
If you are using the same sess_save_path, sess_cookie_name, sess_match_ip on the same server, but for multiple applications ... then the application with the lowest sess_expiration value will at some point delete sessions that you intended to be still valid for others.
TL;DR: Don't use the same session "space" for separate applications.
I have put:
php_value session.gc_maxlifetime 1
in my .htaccess file so my PHP Sessions should expire after 1 second but they are not.
I set a session and its still set after a few hours.
If i look at phpinfo() the session.gc_maxlifetime is set to 1 on the local value
any ideas why this is not working
As the php manual says:
session.gc_maxlifetime integer :
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
Garbage collection may occur during session start (depending on
session.gc_probability and session.gc_divisor).
Note: If different scripts have different values of session.gc_maxlifetime but share the same place for storing the
session data then the script with the minimum value will be cleaning
the data. In this case, use this directive together with
session.save_path.
session.gc_probability integer:
session.gc_probability in conjunction with session.gc_divisor is used to manage probability that the gc (garbage collection) routine is
started. Defaults to 1. See session.gc_divisor for details.
session.gc_divisor integer
session.gc_divisor:
coupled with session.gc_probability defines the probability that the
gc (garbage collection) process is started on every session
initialization. The probability is calculated by using
gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that
the GC process starts on each request. session.gc_divisor defaults to
100.
You also can refer this post.
I am using Cakephp 1.3 and having a lot of troubles with session timeouts.
So, here's my core.php file.
Configure::write('Session.save', 'cake');
Configure::write('Session.cookie', 'TESTING');
Configure::write('Session.timeout', '0.01');
Configure::write('Session.start', true);
Configure::write('Session.checkAgent', false);
Configure::write('Security.level', 'low');
Here comes the first problem, on session.timwout it is specified as SECONDS but if I put 1 using low that gives my cookie expire of 5 hours (?). with this setting I am getting 3 minutes to cookie expire, I don't understand that, it should be 1 x 300 seconds = 5 minutes. what kind of math is that?
And the main problem is that this is not being respected, when I log to my website I can see it generated a session and will expire in 3 minutes, but as soon as I log on and click a link i get back to the log in page, which means I get de authenticated in less than 30 seconds.
I am trying to set such a low value for testing, I know high and medium security values regenerate session between requests but I would like to understand what's going on.
Thanks a lot.
Session lifetime and cookie lifetime aren't equal. Session lifetime is calculated by
Security::inactiveMins() * Configure::read('Session.timeout')
where as cookie lifetime is calculated by
Configure::read('Session.timeout') * (Security::inactiveMins() * 60)
So on a security level of low, a session timeout of 1 results in a session lifetime of 300 seconds, and a cookie lifetime of 18000 seconds, ie 5 hours.
And when using a 0.01 second timeout, session lifetime would be 3 seconds, and cookie lifetime would be 180 seconds, and therefore you are being logged out so fast.
As you've experienced for yourself, there's no need to worry about the longer cookie lifetime (which I guess is to prevent the cookie becoming invalid before the session times out, but I could be wrong on that), once the session times out, the cookie is being invalidated and finally overwritten.
I already made these adjustments in my php.in file and then stopped/started the server:
; 24 hour session cookie
session.cookie_lifetime = 86400
; Prevent server from cleaning up session
; Some value higher than the cookie lifetime
session.gc_maxlifetime = 200000
But that seemed to do nothing and my users are still complaining that they get logged out after about 30 minutes. And I am also getting logged out often.
What else could I look into or do in order to make my users who are logged in not to be logged out and keep them logged in at least 24 hours or more.
Thanks!
Whilst you can increase the session time out using code similar to the below: (in .htaccess, if you are on apache)
php_value session.gc_maxlifetime 86400
php_value session.gc_probability 1
php_value session.gc_divisor 100
The problem is that your sessions folder can become cluttered with inactive session files. Our sites use a half hour time out, but we have a an AJAX poller as part of the management interface which keeps the session alive once every 15 minutes. That way we only keep the session open for active users (even if they are perfoming long term operations)
Alternatively you may consider storing a separate - longer term - cookie which can be used to quickly re-establish the users session should it expire, again this prevents the need to fill your server with cumbersome session files.