PHP Sessions expiring too early!

visibleman · 20 May 2010 at 22:27

Hi all,
I've developed a login script based around sessions, the issue i'm having is that sessions are expiring too early at around 30mins (although it's a bit random, could be 5mins could be an hour) instead of 2hrs set by 'session.gc_maxlifetime' in the php.ini file (this is hosted with TsoHost on their clustered servers, so have a customer ini file and yes the session.save_path is correct as stated on their forums).

The PHP session/cookies settings -

I've been hunting around google, php.net and a load of PHP forums but it just seems to be full of people in similar situations and i just keep finding conflicting information like whether 'session.gc_maxlifetime' is the inactivity timeout of the session (by last_modified) or whether this is the timeout from when the session was created (as stated in the php.ini file).

Has anyone got any ideas regarding this? As i've completely hit a brick wall and as last resorts the only option seems to be to re-write the authentication side of things to use cookies (has been recommended a few times on other forums), which i've tried to stay away from due to security.

Cheers for any help on this though

Adz · 20 May 2010 at 22:49

Have you tried doing a print_r on the $_SESSION array to see what changes when you're logged out?

Also check the session ID with session_id(), does it change?

visibleman · 20 May 2010 at 22:57

The cookie session ID 'PHPSESSID' is staying the same (i have it dumping out all HTTP headers everytime a page is loaded) until the browser closes and i re-open it, will check the $_SESSION array.

I have just changed the 'session.cookie_lifetime' to 7200 instead of 0 (default, delete cookie on browser close), same as the 'session.gc_maxlifetime' - i can't see this making a difference but we'll see.

edit - as i'm using cookies for sessions, 'session.use_cookies' = 1 (on), should the 'session.cookie_path' be set to anything? It's set to "/" and i've just read that people setting this cookie_path seem to have better luck when using cookies for sessions. Just wondering i can set it to the same path as 'session.save_path' (eg: /tmp/php_sessions) under TsoHost clustered hosting.

Adz · 20 May 2010 at 23:05

It's not a cookie issue otherwise the session ID would change. I'm fairly sure examining the content of the $_SESSION array will lead you to the solution.

visibleman · 20 May 2010 at 23:26

It seems that whole session is getting destroyed!

This is after logging in (no sessions set/displayed), redirect (php header location etc) to application main page (session variables are set correctly/displayed), leaving the system idle for 25/30mins, click a random link, software thinks it's not logged in redirects to login page (no sessions set).

I'm royally confused now :confused:

Is there a way to switch the session garbage collection off? Would setting 'session.gc_probability' to 0 switch it off?
Just wondering if the GC is being called and clearing the session, then again that should only be happening after the 'session.gc_maxlifetime' limit....

Adz · 20 May 2010 at 23:38

Setting the probability to 0 will disable the gc however there is no reason for the gc to be 'clearing up' your session if it is active and the max lifetime hasn't been reached. It will help to rule it out though

.

visibleman · 20 May 2010 at 23:51

also noticed that the php.ini settings doesn't seem to be getting carried between directories, it seems that every directory needs it's own copy of the php.ini :confused:

(perhaps there's an option for a custom php.ini in the hosting control panel, shame i don't have access to it).

i'll see what setting the 'session.gc_probability' to 0 does, can't seeing it doing much though

Adz · 20 May 2010 at 23:56

That's how custom php.ini files work, they have to be in the directory the script is running from

.

What are you setting in the custom php.ini other than the session stuff? Try simply deleting all the custom php.ini files for now, just to rule that out as the cause.

If you still can't get it working, raise a support ticket with your hosting provider and let them take a look.

visibleman · 21 May 2010 at 00:11

Ahhhh gotcha, that might explain a lot

The php.ini i am setting is this -

PHP:

[Session]
session.save_handler = files
session.save_path = "/tmp/php_sessions"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 14400
session.cookie_lifetime = 0
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5[/QUOTE]

Yeah will get rid of the php.ini files and start from scratch. See where i get and take it from there....

edit - i was originally setting the 'session.gc_maxlifetime' (etc) within the applications main function include using ini_set("session.gc_maxlifetime", "14400");, but i never had much luck with it.

Penn0r · 30 Dec 2016 at 17:24

I realise this is a bit of a bump, but did you ever find the solution visibleman? I've got the exact same problem @visibleman

Penn0r · 30 Dec 2016 at 17:25

visibleman said:
Ahhhh gotcha, that might explain a lot
The php.ini i am setting is this -

Yeah will get rid of the php.ini files and start from scratch. See where i get and take it from there....

edit - i was originally setting the 'session.gc_maxlifetime' (etc) within the applications main function include using ini_set("session.gc_maxlifetime", "14400");, but i never had much luck with it.