View Full Version : Session Timeout Problems [URGENT]

02-20-2008, 09:31 PM
I am having some issues and weird behavior with the sessions on my host's server.

I am using the following to set the session timeout to 6 hours:

ini_set('session.cookie_lifetime', 21600);
ini_set('session.gc_maxlifetime', 21600);

Now, it is my understanding that the session will not timeout until you become inactive, at which point this 6 hour timer is started. Instead, it kills the session 6 hours after it is first created, which is not what I want. How can i make it act the way i expect it to?

In addition to that, the session should end when the user closes their browser. Currently, it does not. It's like the session is based on IP or something, because opening and closeing the browser (and I mean browser, not browser tab) does not end the session.

Can somsone help me figure out what the hell is going on, so that my application does not log my users out in mid data-entry?

Thank you!

02-20-2008, 09:35 PM
Is this on a shared host or a dedicated server?

For your second question of ending the session when the browser is closed, leave/make the 'session.cookie_lifetime' setting zero.

02-20-2008, 09:40 PM
Shared. Knowing that that can cause problems, I did move the session files into a folder (below web root) that is in my account only. In attempt to avoid issues.

02-20-2008, 09:56 PM
"Active" to a web server means a http request. If someone requests a form, that form is sent to the browser. That is the end of the "activity" and the session data file carries the time when the session data was written to it when the php script on your form page terminated. If a visitor is taking a long time to fill in a form, the server does not know that.

Changing the 'session.gc_maxlifetime' should prevent the session data files from being deleted, however, where and how have you changed the session.save_path and session.gc_maxlifetime settings. They need to be set before every session_start() statement. Setting them in a .htaccess file or a local php.ini file would insure they always get set.

02-20-2008, 10:07 PM
This code is part of a file that is called on EVERY page. The file sets constants, includes some general functions, and sets the session data:

ini_set('session.save_path', '/home/user/path');
ini_set('session.cookie_lifetime', 21600);
ini_set('session.gc_maxlifetime', 21600);

Thanks for the input about 'active'. I am aware, and I do mean 'active'. The Application uses a large amount of AJAX. There is actually very little typing, it is mostly all made up with searching the database, and using AJAX to make changes in the session (where all of the data about the 'form' is held until its ready to be saved.)

So on average, I would say that each user is making a call to the system about 8-12 times a minute. Because of that, it makes no sense that the session would suddenly go "Okay, I've been around for 6 hours, I'm outta here!"

As I said, the program holds all of the form data in the session. There can sometimes be hours of work held in session variables. So as you can understand, it is URGENT that I stop the session from suddenly disappearing.

02-20-2008, 10:28 PM
There are three possible things going on - 1) The session data files are getting deleted, 2) A new session is getting started because of a change in the host or path portion of the url results in no match with the previous session, or 3) a problem in the code is deleting the session variables/data file.

For #1, have you checked if session data files are actually present in the folder? Are there any present with file data/times that are older than 6 hours?
Either use the session_get_cookie_params() function or a phpinfo() statement (after your ini_set... session_start()) to see what the settings actually are.

For #2 and #3, what are the actual symptoms? Is data just missing or are they getting logged out?

02-20-2008, 10:43 PM
Total session loss. All data that they had is gone, and a new session is started, as soon as they try to load any page. If they load a page, my code redirects them to a login page, if they run AJAX, nothing happens, because it has no session data to work with.

Yes, there are files in the session folder, and there are only recent sessions in the folder (less than 6 hours old)

02-21-2008, 04:44 AM
Seeing your code would be the next step in finding or duplicating the problem.

02-21-2008, 05:06 AM
I have posted my code twice above.
The problem occurs regardless of what script is running on what page. It is a site wide problem.

02-21-2008, 11:17 PM

This is becoming a major problem for my clients.

02-21-2008, 11:19 PM
Did you run phpinfo() after you used ini_set() to check and see if the changes are even being made?

Have you tried using htaccess to change them?

02-21-2008, 11:29 PM
Yes I did, thank your for the suggestion. It is being changed. Both settings appear in the PHP INFO table.

I don't think its a problem of setting the values, I think its an issues with how the sessions are acting. Am I right in my understanding that the inactivity timer should restart every time you make a request from the server? Because right now its 6 hours from creation, and it not being restarted when you make a call to the server.


02-22-2008, 03:53 PM
What you are stating you are doing works (unless you are on some combination of operating system, web server, php version where the file creation time is being used by garbage collection instead of the file modification time) or if your code is not really doing what you state.

I suspect that your ajax javascript is either not really making a request to the web server or that the .php code page that is requested by the ajax is operating on a different session than the one that is created by the main .php page.

I tested using ini_set() statements like you are using (ini_set statements have been known to change the displayed values but not actually change values that php uses, especially on Windows) and my generic ajax/php code works as expected, keeping the file modification time current with each ajax request so that the garbage collection does not delete the file.

So, something specific with your server is not working concerning the file creation/modification date or your code is not doing what you think (and posting it would be the only way anyone would be able to help, as was previously suggested.)

02-23-2008, 01:15 AM
The AJAX pages have to be making a request to the server. Otherwise search data, results, and any changes to the session would not be happening. It wold be very obvious if the AJAX were failing or caching, it is not.

The session is the same as the login session, otherwise the code would detect that the user is not logged in and error. That and a simple var_dump on the session shows that the original login data and the data that all of the AJAX scripts enter are in fact together. Note: It is not only AJAX that is making requests to the server. About every 30 min a group of 10 or more standard HTTP requests are made.

This is not an issue of the AJAX not working, or the HTTP requests that should keep the server alive working. It is not an issue of the 6 hour limit being imposed. It is an issue of how the 6 hours limit is working. It should be 6 hours from last HTTP request, not 6 hours from creation, which it is now.

I think what I should be asking is, what do I suggest to my Host in the way of correcting the problem?