corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » PHP Sessions (maxlifetime)


New Topic

New Poll
  <<  1    2  >> Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author PHP Sessions (maxlifetime)
Dom
Member

Registered: 13th Sep 03
User status: Offline
17th May 10 at 12:45   View User's Profile U2U Member Reply With Quote

Currently i'm setting the sessions maxlifetime to 3600 minutes (an hour) using ini_set("session.gc_maxlifetime", "3600"). Am i right in thinking that if a session hasn't been updated within that hour, then it is seen to be 'garbage' and will be scrubbed/deleted?

So in the situation of storing a 'loggedon' boolean session variable when a user has logged on to a web app that isn't updated whilst the user is using the web app (although other session variables are), it would get destroyed after the maxlifetime limit?

cheers for any help
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
17th May 10 at 13:29   View User's Profile U2U Member Reply With Quote

Not quite right iirc. The session itself will stay alive an hour after the last activity, not from when a particular variable was set.

Say a user logged on at 3pm and last clicked in your app at 3.15, the session would expire at 4.15pm, nit 4pm. That would then dump all the variables you've set.
Dom
Member

Registered: 13th Sep 03
User status: Offline
17th May 10 at 14:46   View User's Profile U2U Member Reply With Quote

So that's any activity across all of the $_SESSION variables?
What i read (php site and others) made it sound like if a variable wasn't updated then it would get scrubbed regardless of other session variables changing.

Cheers though
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
17th May 10 at 15:07   View User's Profile U2U Member Reply With Quote

My understanding was that if the session in relation to a user was updated, the whole session was updated if that makes sense.

There isn't (as far as I know) a time logged against each variable so it would just get recycled along with everything else.

Might well be wrong, but pretty sure I'm not
Dom
Member

Registered: 13th Sep 03
User status: Offline
17th May 10 at 16:56   View User's Profile U2U Member Reply With Quote

Well the client isn't bitching about it so i'm praying that it's fixed, time will tell i suppose
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 09:39   View User's Profile U2U Member Reply With Quote

Still having issues with users getting randomly booted after 15mins or so, even though the session.gc_maxlifetime is set to 3400secs/1hr. Having a nose round the php.in i found -

-----
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
-----

So i can only assume that a session gets scrubbed after the set time limit and that i should be setting the limit to something huge like 9hrs to keep a user logged in for the day
Also am i right i should be setting this before the session_start()?
Reedy
Member

Registered: 11th Apr 04
Location: Hammersmith
User status: Offline
20th May 10 at 09:47   View User's Profile U2U Member Reply With Quote

surely if you modify the main php.ini file then it will automattically set it.
Otherwise if your doing it with one of those .htaccess files then the issue might be when the user is going to another folder I think it looses those settings. So if a page directs away from the index to an upper level, e.g. corsasport.co.uk -> corsasport.co.uk/board/
I might be wrong though, i tend to just change the main php.ini file.

[Edited on 20-05-2010 by Reedy]
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 09:53   View User's Profile U2U Member Reply With Quote

i'm using ini_set() to set it before session_start() on every page (should i be setting it on every page, or only once say on the login page?). Ideally i should have a custom php.ini but at the moment i don't have access to do that. I have just found that the host requires you to set the session.save_path to /tmp/php_sessions if using custom php.ini's, so i've set that as well before the session.maxlifetime.
ed
Member

Registered: 10th Sep 03
User status: Offline
20th May 10 at 10:08   View User's Profile U2U Member Reply With Quote

Doesn't the session remain active for as long as the cookie is alive? The cookie expires when the browser session is closed, so if you use a session based login system as soon as the user navigates away from the page, they get booted off?
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 10:44   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by ed
Doesn't the session remain active for as long as the cookie is alive? The cookie expires when the browser session is closed, so if you use a session based login system as soon as the user navigates away from the page, they get booted off?


Sessions are carried over between pages, but as you say the session ID is stored in a cookie (iirc) and i have read that you should set the 'session.cookie_lifetime' to 0 (0 meaning, clear cookie on browser close). I did do that but the whole thing went tits up
Problem is the client is getting fucked off with his staff entering loads of info, pressing submit and the app kicking them out.....
ed
Member

Registered: 10th Sep 03
User status: Offline
20th May 10 at 11:04   View User's Profile U2U Member Reply With Quote

Ohhhh, I've not come across that before....
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 11:14   View User's Profile U2U Member Reply With Quote

Another question, should i be calling session_name() before session_start() to resume a session? Or will it automatically resume the session on session_start() using the session id?

[Edited on 20-05-2010 by Dom]
ed
Member

Registered: 10th Sep 03
User status: Offline
20th May 10 at 11:16   View User's Profile U2U Member Reply With Quote

session_start() will resume the session. You only use session_name() if you you want to call the session something or get the name of the current session.
ed
Member

Registered: 10th Sep 03
User status: Offline
20th May 10 at 11:17   View User's Profile U2U Member Reply With Quote

Not sure if the first comment bares any relevance to your work?

http://php.net/manual/en/function.session-name.php
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 11:36   View User's Profile U2U Member Reply With Quote

Cheers, am already reading it. It looks like you only use session_name() if you're giving a name to your session in which you obviously need to resume the session with that name (as sessions default to IDs). Otherwise it'll automatically resume a session based on IDs. I could be completely wrong though

I find the whole documentation of php sessions to be pretty shit, especially on dealing with sessions expiring. Doesn't help googling as there is far too much conflicting information about regarding sessions - ie: some people think maxlifetime is based on inactivity or last modified time of the session, where as others (inc the note in the php ini) say the maxlifetime is the time since the session was created.
Reedy
Member

Registered: 11th Apr 04
Location: Hammersmith
User status: Offline
20th May 10 at 11:38   View User's Profile U2U Member Reply With Quote

The only thing you need to run is session_start() and possibly session_destroy()

session start can be ran on every page (but depends on the architecture), i develop using MVC so i only use a session start in the index file.

Session destroy is used when a user logs out.

I hope that clears things up
ed
Member

Registered: 10th Sep 03
User status: Offline
20th May 10 at 11:41   View User's Profile U2U Member Reply With Quote

I use cookies for user verification as there seems to be a bit more control over what you can do with them. I'm not too sure what the security aspects of doing it this way are...
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 12:13   View User's Profile U2U Member Reply With Quote

Reedy - Yup, already doing it like that.
Ed - I have looked at using cookies, it might be a route if this continues, although you can easily retrieve the information out of a cookie that's the only issue.

Problem is, the application is 'booting' them out but i'm having no issues what so ever on my dev box, my laptop or my pc and this is across a number of browsers. Which makes me wonder if it's an issue at their end, but i have no idea what (there is only 3/4 of them, there internet connection is ran through a windows server but no caching is apparently on that server). I'm seriously running out of ideas.......


All pages include a 'general_include.php', and the start of the 'general_include.php' is -
quote:

ini_set("session.save_path", "/tmp/php_sessions"); //Session Save Path (as stated on the Host Forums)
ini_set("session.gc_maxlifetime", "7200"); //Session Max Life - 2hr
ob_start(); //Use Buffering - ob_flush() is getting called at the end of the page load!
session_start(); //start sessions
dbConnect(); //DB Connection Function
$GLOBALS['directory'] = "/livesite"; // Set Global directory *Temp



After that there are a few login checks (time limits, ip restriction etc) and then a load of functions that are used throughout the application.

Regarding the login page, once they hit the submit button, it checks to see if the user/password is ok, if not display error otherwise open a new window fullscreen (not status bar, address bar etc) for the main app and close the current (login) window.
Could there be an issue with sessions getting carried between new windows? Thing is, if you login and create a new tab you can still access the application from that new tab without logging in, so i've assumed that sessions do get carried across
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
20th May 10 at 12:14   View User's Profile U2U Member Reply With Quote

I'm with ed on this one - I'd probably just use cookies instead unless there is a reason why you want to store lots of data in a session server-side.

Can you rewrite the user authentication side to check for a cookie if the session isn't valid?
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 12:30   View User's Profile U2U Member Reply With Quote

Only reason i used sessions was due to the security side of things, as obviously you can read data from cookies pretty easily - only data i am storing is whether they are logged in (boolean), their user ID (reference to database table), username, their full name and their access status (admin/user etc).

I suppose i could use cookies, would require a fair amount of re-writing of code.....last resort ideally but its looking like the only solution.
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
20th May 10 at 12:32   View User's Profile U2U Member Reply With Quote

See what you mean.

In an ideal world you'd just store a userID as a cookie and let the server collect the rest of the information as/when it needs it. Can see how it could be a right pain if its a fair sized app though
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 12:37   View User's Profile U2U Member Reply With Quote

maybe if i just change the logged-in boolean session to store it in a cookie, as that's the one the app is checking.....

Andy - yeah it's a pretty big app, would take a good day and a bit to rewrite it for cookies Perhaps i should have made the whole authetication side of things modular/class/function based or something, would have save a load of work.
AndyKent
Member

Registered: 3rd Sep 05
User status: Offline
20th May 10 at 12:41   View User's Profile U2U Member Reply With Quote

Seems a bit pointless having a bool for logged in to me. If the cookie has been set then the user is obviously logged in (so bool = true).

If the user disappears the bool never gets updated to false so pretty pointless checking it tbh (so bool still = true even though it should be false technically).

I don't get some peoples coding really. I assume this isn't something you've custom made?
John
Member

Registered: 30th Jun 03
User status: Offline
20th May 10 at 12:55   View User's Profile U2U Member Reply With Quote

If the connection is running through a server they may be using ISA, it's crap and could cause issues, there aren't many other things that would run on a server for 3 or 4 people.

Maybe they just mean they have a server.

[Edited on 20-05-2010 by John]
Dom
Member

Registered: 13th Sep 03
User status: Offline
20th May 10 at 13:04   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by John
If the connection is running through a server they may be using ISA, it's crap and could cause issues, there aren't many other things that would run on a server for 3 or 4 people.

Maybe they just mean they have a server.

[Edited on 20-05-2010 by John]


Exchange is about the only thing on it and network storage, it's some silly dell server. I would have thought it'd cause issues with sessions though

  <<  1    2  >>
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
where to get bonnet ashj General Chat 6 628
26th May 03 at 19:42
by Andy Morley
 
nova - 2.0 16v..... budget AK General Chat 44 5429
25th Oct 04 at 16:00
by Adam Kindness
 
track days aovertonwba General Chat 2 592
21st Apr 06 at 15:01
by AK
 
phpbb index Tom J Geek Day 3 779
13th Feb 07 at 15:34
by Steve
 

Corsa Sport » Message Board » Off Day » Geek Day » PHP Sessions (maxlifetime) 28 database queries in 0.0190639 seconds