0

OK after days of frustration I have stumbled across and issue with sessions, unfortunately I am not sure if my the solution I found will become a security issue or Risk.

I was working on a php project on my localhost logged in the app and I could walk away for 5,10 even 15 minutes and come back and i could still proceed through my application logged in. When I uploaded my project to test online. if i logged in I could refresh in 2 - 3 minutes and would have to log back in.

I tried everything from about 50 posts on here and got no result. so I decided to read every line of phpinfo on my localhost and my host to compare. came up with nothing.. well I in fact over looked a detail..

So this morning with coffee a very little hair left.. I found the problem.

session.cache_expire 180

now this closes at 3 minutes regardless of the session lifetime. also on localhost,

session.gc_divisor 1000

the session.gc_divisor is 1000 on localhost but on my web host its 100,

Now I have a file called sessions.php and in it is my session_start. the solution i found was here. http://php.net/manual/en/function.session-cache-expire.php

so i have changed my session file to the following.

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();

session_cache_expire(30);
$cache_expire = session_cache_expire();
session_start();
ob_start();

the result is when i leave my browser open for longer than 3 minutes it no longer requires me to log back in.. But is this a proper solution?

Improve this question

1 Answer 1

Reset to default
1

You should be aware that session.cache_expire has nothing to do with the lifetime of a PHP session. It's to do with HTTP caches. Is there a proxy in front of your web server that is caching content? That's what that setting controls.

In terms of PHP session lifetime here are your key settings:

session.gc_maxlifetime - The number of seconds before a session is marked as "garbage". This is enforced by the server

session.cookie_lifetime - The number of seconds before the session cookie expires. This is enforced by the client (web browser)

You have to make sure both are complimenting each other. If the server side expired before the client side, the client will present the session cookie and the server will reject it. If the client cookie expires before the server side, the browser won't send the session cookie at all and the server will send a new one thinking it's a new client.

As for garbage collection itself, it's not going to impact session lifetime either as this only comes into play for sessions that have been marked as "garbage" by the server. There are two key settings:

session.gc_probability

session.gc_divisor

The easiest way to think of these is as a fraction. For example:

session.gc_probability = 1

session.gc_divisor = 100

There will be a 1 in 100 chance that a client request will trigger the garbage collector. So, 1 in 100 clients get a small performance degradation (not really - it's very fast). It's probably set to 1000 on your production server because it's handling a lot of traffic. That is, if you get 1000 requests in a minute, you might only want the garbarge collector to be invoked about once a minute.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

@sgif I login to the app i can sit on that page for 3 minutes then try to go to a page that requires you to be logged in. and then it asks me to login again. unless i use the following code above..
session.cache_expire may not have anything to do with the life of sessions but its requiring my to login after 3 minutes going page to page that requires login.
Maybe you've inadvertently discovered another issue in that you're actually viewing a cached version of the page and there's in fact no session there at all. I would check and make sure you are not viewing a cached page. Test by changing the content within the 3 minute interval and reloading the page. If the content doesn't update you'll know you're viewing a cache and not the real page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.