Page 1 of 1

Sessions expiring?

Posted: Wed Aug 25, 2004 9:20 am
by Bill H
To quote feyd in another thread (that I didn't want to hijack):
the session normally won't expire until the browser is closed.
That has always been ny assumption as well, and I have found no documentation to the contrary, however:

I have a client site where the user login is stored in a $_SESSION variable. The users are reporting that if they remain inactive for an indeterminate length of time when logged in and then take any action on the site they get "kicked" back to the login page. That action would be caused by code at the start of each page of the !isset() variety, so it appears that even with the browser not being closed the session is expiring in some fashion.

The length of time appears to be extremely variable. I have duplicated it on my computer, but it seems it was at least half an hour or perhaps greater. Some users are reporting the behivior after as little as ten minutes or so.

Anyone have anything to offer so that I can either correct the issue or provide users with some guidelines?

Posted: Wed Aug 25, 2004 9:44 am
by delorian
Read the php manual http://php.net/manual/en/ref.session.php, and look for some configuration directives with maxliftime, expire, etc.

Posted: Wed Aug 25, 2004 10:34 am
by feyd
some browsers toss their session cookie when you navigate away from the site/page/whatever it was created on as well.

Posted: Wed Aug 25, 2004 12:45 pm
by Bill H
delorian: The links results in a "page not found" for me. I did read everything I could find in the php manual about sessions, and I found nothing pertinent to the session expiring while the browser remains open. I also have three textbooks, none of which had anything that I found useful.

feyd: This is happening without navigating away from the site at all. Typically a user is inputting and the doorbell rings, etc. The go away from the computer without closing the page and when they return any action kicks them back to login page.

Posted: Wed Aug 25, 2004 12:59 pm
by feyd
the session.cookie_lifetime value may be set on the server.. default value is zero.

Posted: Wed Aug 25, 2004 1:03 pm
by Buddha443556
Bill, are you on a shared server? Admins have a habit of purging sessions from /tmp on shared servers. Moving the session to your own folder will fix this problem.

Also make sure your cookies have a nice long lifetime because you can not count on the browser not deleting it earilier than you expect. Could also use session cookies (lifetime zero) which are deleted when the browser closes.

Posted: Thu Aug 26, 2004 8:36 am
by Bill H
Yes, I am on a shared server. How would I change the location if I cannot access the ini file?

Also, the only session lifetime refs I see in phpinfo is gc_maxlifetime=1440 and cookie_lifetime=0. As I understand what I read in the manual (which may be wrong since the manual's explanations are somewhat less that crystal) neither of those has anything to do with this issue.

here's my session data from phpinfo (local value, then master value):

Code: Select all

session.auto_start	Off	Off
session.bug_compat_42	On	On
session.bug_compat_warn	On	On
session.cache_expire	180	180
session.cache_limiter	nocache	nocache
session.cookie_domain	no value	no value
session.cookie_lifetime	0	0
session.cookie_path	/	/
session.cookie_secure	Off	Off
session.entropy_file	no value	no value
session.entropy_length	0	0
session.gc_divisor	100	100
session.gc_maxlifetime	1440	1440
session.gc_probability	1	1
session.name	PHPSESSID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	files	files
session.save_path	/tmp	/tmp
session.serialize_handler	php	php
session.use_cookies	On	On
session.use_only_cookies	Off	Off
session.use_trans_sid	On	On

Posted: Thu Aug 26, 2004 12:58 pm
by Buddha443556
The configuration options name is: session.save_path

There three way's besides modifing the master php.ini file: ini_set() [ before session_start() ], htaccess, local php.ini which works only under phpsuexec.

If you recieve a Internal Server Error 500 trying to use htaccess you maybe using phpsuexec. Then you need to create a file called php.ini (plain text) setting the new value like this:

Code: Select all

session.save_path=/home/username/yournewtmp
This local php.ini file needs to go in every folder where you are executing PHP scripts.

Posted: Thu Aug 26, 2004 11:39 pm
by Bill H
All of my php books go into great detail about greating your own session handler using a db, but they say nothing at all about using the one provided by the system.

1. Since my "session.use_cookies" is set to On, would the "session.save_path" or the "session.cookie_path" apply? The latter is set to a single slash, while the former is set to "/tmp"

2. Since almost all of my scripts are running from subdirectories, where is the "/tmp" located? Or does php use that path relative to the root? Or relative to something else?

3. What happens if I set "session.use_only_cookies" to on and the viewer has his browser set to reject cookies out of hand?

4. If I change the "session.save_path" will scripts in all subdirectories find it from that single directory name being iterated, or will I need to set it in each script relative to the location of that particular file?

Posted: Thu Aug 26, 2004 11:51 pm
by feyd
Bill H wrote:1. Since my "session.use_cookies" is set to On, would the "session.save_path" or the "session.cookie_path" apply? The latter is set to a single slash, while the former is set to "/tmp"
both matter. If your server is a *nix based one, then that sounds fine.
2. Since almost all of my scripts are running from subdirectories, where is the "/tmp" located? Or does php use that path relative to the root? Or relative to something else?
It's an absolute path, so it doesn't really matter where it's used.
3. What happens if I set "session.use_only_cookies" to on and the viewer has his browser set to reject cookies out of hand?
I haven't tried it, but I think it'll create a new session on every page.. That's if it actually pays attention to it. ;)
4. If I change the "session.save_path" will scripts in all subdirectories find it from that single directory name being iterated, or will I need to set it in each script relative to the location of that particular file?
that depends on what you set it to.. if it's a relative path, you could easily have problems. As long as the path is an absolute one, you shouldn't have problems.

Posted: Fri Aug 27, 2004 6:45 am
by Buddha443556
Bill H wrote:1. Since my "session.use_cookies" is set to On, would the "session.save_path" or the "session.cookie_path" apply? The latter is set to a single slash, while the former is set to "/tmp"
Session are stored on the server and cookies are stored on the clients computer. "session.save_path" refers to where sessions will be stored on the server. "session.cookie_path" refers to the URL path on the server in which the cookie will be available on. The "/" means it's available to the whole domain. If "session.cookie_path" was set to "/foo/" then only scripts in that folder could access that session cookie because the browser wound only send it for ULR with "/foo/' in it.
2. Since almost all of my scripts are running from subdirectories, where is the "/tmp" located? Or does php use that path relative to the root? Or relative to something else?
"session.save_path" is sent to the session handler and should be absolute. "/tmp" is located outside your user directory and is accessialbe to ALL other domains on the server. This is the biggest reason to move your sessions to your own folder. (If your server isn't Jailed then well it's all a mute point.)
3. What happens if I set "session.use_only_cookies" to on and the viewer has his browser set to reject cookies out of hand?
New session is created on every page. The user will not receives any benefit from the session info.
4. If I change the "session.save_path" will scripts in all subdirectories find it from that single directory name being iterated, or will I need to set it in each script relative to the location of that particular file?
Depends on how you change it? If you use ini_set() in a front controller then that maybe the only change you need. However, if your script's control is distributed across multiple directories ini_set() would be needed in every script. htaccess and local php.ini changes are per directory.

Posted: Fri Aug 27, 2004 8:11 am
by Bill H
Thanks for the info, it clears up a lot.
(If your server isn't Jailed then well it's all a mute point.)
What is "Jailed" and how do I find out?
If you use ini_set() in a front controller then that maybe the only change you need. However, if your script's control is distributed across multiple directories ini_set() would be needed in every script.
Could you expand on that? What would the "front controller" consist of?

Posted: Fri Aug 27, 2004 9:38 am
by Buddha443556
What is "Jailed" and how do I find out?
In a jailed server, your access is limited by your user id. Others on the server can't access your files unless you allow them (except the root user which has total access - this would be your server's administrator). If your runing phpsuexec your probably in a jailed environment. Just ask your host.
Could you expand on that? What would the "front controller" consist of?
PHP-Nuke is an example of a script that has a front controller. A front controller processes all the requests a web site receives, in the case of PHP-Nuke that is modules.php. In PHP-Nuke, you might be able to insert one ini_set() in modules.php to effect the whole script.

Posted: Fri Aug 27, 2004 11:15 am
by Bill H
Okay, too many terms here that are totally outside my realm of knowledge, and each attempt to clarify just adds more terms that I know nothing about.

It appears there is no readily implementable solution, and my client is living with the situation with only occasional complaints so...

Thanks for trying, but I seem to be invincibly ignorant.
:oops: