[PHP] PHP sessions - users being automatically logged out
I'm having trouble with a PHP site whereby some users are being logged out on a regular basis. This will usually happen after they have been using the site for a few minutes, they can login without any problems and access a few pages, but then suddenly they will request a page and be sent to the login form, which suggests that their session no longer exists. However, this doesn't affect all users - I can login and use the application without any problems, as can some other users. According to phpinfo(), the following session values are set (all are what I'd expect - either the default or something I've deliberately changed): session.auto_start = Off session.bug_compat_42 = On session.bug_compat_warn = On session.cache_expire = 180 session.cache_limiter = nocache session.cookie_domain = no value session.cookie_httponly = Off session.cookie_lifetime = 0 session.cookie_path = / session.cookie_secure = Off session.entropy_file = no value session.entropy_length = 0 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.gc_probability = 1 session.hash_bits_per_character = 4 session.hash_function = 0 session.name = PHPSESSID session.referer_check = no value session.save_handler = files session.save_path = /shared/sessions session.serialize_handler = php session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = 0 I've tried checking a few obvious things: * IP addresses - the site doesn't use the IP address as part of the authentication process, and almost all our users (including the ones experiencing problems) have static IP addresses anyway. * Number of sessions - there are between 40-60 session files on disk at any one time, so I doubt there's a maximum number of session files limit being broken, if such a configuration option exists. * Permissions - the web server user (www-data) has read/write permissions to the directory where the sessions are stored and all the files within it, and they are all owned by this user. Is there anything else obvious which could be causing the problem? This seemed to occur when we moved hosts, and I haven't changed the site's session handling code for some time, so I suspect it might be a configuration issue but can't figure out what. Thanks, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions - users being automatically logged out
Inc session.cache_expire. You have only 3 minutes. This means browser will drop cookie containing session id in three minutes, or even less, of clients inactivity. I prefer to set expire-time to zero. So, browser will never forget session id. In other case, if security requires, i usually set it to 24 hours, to avoid some mystic problems, in case of misconfigured servers and/or clients TZ; they are rare. 2010/11/4, Paul Waring p...@xk7.net: I'm having trouble with a PHP site whereby some users are being logged out on a regular basis. This will usually happen after they have been using the site for a few minutes, they can login without any problems and access a few pages, but then suddenly they will request a page and be sent to the login form, which suggests that their session no longer exists. However, this doesn't affect all users - I can login and use the application without any problems, as can some other users. According to phpinfo(), the following session values are set (all are what I'd expect - either the default or something I've deliberately changed): session.auto_start = Off session.bug_compat_42 = On session.bug_compat_warn = On session.cache_expire = 180 session.cache_limiter = nocache session.cookie_domain = no value session.cookie_httponly = Off session.cookie_lifetime = 0 session.cookie_path = / session.cookie_secure = Off session.entropy_file = no value session.entropy_length = 0 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.gc_probability = 1 session.hash_bits_per_character = 4 session.hash_function = 0 session.name = PHPSESSID session.referer_check = no value session.save_handler = files session.save_path = /shared/sessions session.serialize_handler = php session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = 0 I've tried checking a few obvious things: * IP addresses - the site doesn't use the IP address as part of the authentication process, and almost all our users (including the ones experiencing problems) have static IP addresses anyway. * Number of sessions - there are between 40-60 session files on disk at any one time, so I doubt there's a maximum number of session files limit being broken, if such a configuration option exists. * Permissions - the web server user (www-data) has read/write permissions to the directory where the sessions are stored and all the files within it, and they are all owned by this user. Is there anything else obvious which could be causing the problem? This seemed to occur when we moved hosts, and I haven't changed the site's session handling code for some time, so I suspect it might be a configuration issue but can't figure out what. Thanks, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions - users being automatically logged out
On 04/11/10 14:56, Alexander Holodny wrote: Inc session.cache_expire. You have only 3 minutes. This means browser will drop cookie containing session id in three minutes, or even less, of clients inactivity. According to the PHP manual: session.cache_expire specifies time-to-live for cached session pages in minutes, this has no effect for nocache limiter. So the value of session.cache_expire should be ignored, as session.cache_limiter is set to nocache. Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php