PHP Sessions expiring too early!

visibleman · 20 May 2010 at 22:27

Hi all,
I've developed a login script based around sessions, the issue i'm having is that sessions are expiring too early at around 30mins (although it's a bit random, could be 5mins could be an hour) instead of 2hrs set by 'session.gc_maxlifetime' in the php.ini file (this is hosted with TsoHost on their clustered servers, so have a customer ini file and yes the session.save_path is correct as stated on their forums).

The PHP session/cookies settings -

I've been hunting around google, php.net and a load of PHP forums but it just seems to be full of people in similar situations and i just keep finding conflicting information like whether 'session.gc_maxlifetime' is the inactivity timeout of the session (by last_modified) or whether this is the timeout from when the session was created (as stated in the php.ini file).

Has anyone got any ideas regarding this? As i've completely hit a brick wall and as last resorts the only option seems to be to re-write the authentication side of things to use cookies (has been recommended a few times on other forums), which i've tried to stay away from due to security.

Cheers for any help on this though

visibleman · 20 May 2010 at 22:57

The cookie session ID 'PHPSESSID' is staying the same (i have it dumping out all HTTP headers everytime a page is loaded) until the browser closes and i re-open it, will check the $_SESSION array.

I have just changed the 'session.cookie_lifetime' to 7200 instead of 0 (default, delete cookie on browser close), same as the 'session.gc_maxlifetime' - i can't see this making a difference but we'll see.

edit - as i'm using cookies for sessions, 'session.use_cookies' = 1 (on), should the 'session.cookie_path' be set to anything? It's set to "/" and i've just read that people setting this cookie_path seem to have better luck when using cookies for sessions. Just wondering i can set it to the same path as 'session.save_path' (eg: /tmp/php_sessions) under TsoHost clustered hosting.

visibleman · 20 May 2010 at 23:26

It seems that whole session is getting destroyed!

This is after logging in (no sessions set/displayed), redirect (php header location etc) to application main page (session variables are set correctly/displayed), leaving the system idle for 25/30mins, click a random link, software thinks it's not logged in redirects to login page (no sessions set).

I'm royally confused now :confused:

Is there a way to switch the session garbage collection off? Would setting 'session.gc_probability' to 0 switch it off?
Just wondering if the GC is being called and clearing the session, then again that should only be happening after the 'session.gc_maxlifetime' limit....

visibleman · 20 May 2010 at 23:51

also noticed that the php.ini settings doesn't seem to be getting carried between directories, it seems that every directory needs it's own copy of the php.ini :confused:

(perhaps there's an option for a custom php.ini in the hosting control panel, shame i don't have access to it).

i'll see what setting the 'session.gc_probability' to 0 does, can't seeing it doing much though

visibleman · 21 May 2010 at 00:11

Ahhhh gotcha, that might explain a lot

The php.ini i am setting is this -

PHP:

[Session]
session.save_handler = files
session.save_path = "/tmp/php_sessions"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 14400
session.cookie_lifetime = 0
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5[/QUOTE]

Yeah will get rid of the php.ini files and start from scratch. See where i get and take it from there....

edit - i was originally setting the 'session.gc_maxlifetime' (etc) within the applications main function include using ini_set("session.gc_maxlifetime", "14400");, but i never had much luck with it.