Should a session expire itself after a certain time?

[cleibesouza]

Should a session expire itself after a certain time? Here's my problem:

 

I have an application that uses sessions on some pages. My understanding is that if the user is logged in (session started) and for some reason doesn't do anything on the site for 'X' minutes, the user's session should expire. I checked the session_cache_expire() and it's set to 180 (or 3 min.). I always assumed that if one goes for 3 min. without interacting with the site it would expire the session.

Do I need to do anything else for it to happen or do I have a wrong understanding of sessions in this context?  :-\

 

Thank you.

[rhodesa]

it's in minutes...so 180 is 3 hours

[cleibesouza]

IN MINUTES?!?!?! 

I always thought it was in sec. 

 

 

 

[rhodesa]

depends on where you are getting the value from...always read the documentation:

http://us2.php.net/manual/en/function.session-cache-expire.php

Returns the current setting of session.cache_expire. The value returned should be read in minutes, defaults to 180.

[cleibesouza]

Ok, but the question here is:

If an user is logged in and stays inactive longer than the time the session is set to expire, should all the sessions automatically expire and upon clicking on something that requires session the user should see the login required again? Here's my test:

I did:

session_cache_expire(1)

 

Logged in and waited 2 minutes. Sessions were still valid.

[PFMaBiSmAd]

And the session cache expire setting has absolutely nothing to do with how long a session lasts. It is how long a web page that is using a session cookie will be kept in the browser's cache.

 

It's actually the session garbage collection running that ends a session by deleting the session data files older than the session.gc_maxlifetime setting. However, by default garbage collection runs randomly, so you cannot rely on it to end sessions when you expect. Old session data files could randomly exist for days on a server that has few session_start() statements being excited on it.

 

Don't use the underlying operation of the session to log someone out. If you want something to happed after a specific amount of time has past, store the last access time in a session variable and then check on each page access if that is farther in the past then a value you choose and use that information to log someone out.

[cleibesouza]

So, if I understand correctly you're saying there's no mechanism to expire session variables if an user IS INACTIVE for a certain period of time. I don't want to log somebody out after 'X' time. I want it to happen if they're INACTIVE after 'X' minutes. What I don't want to happen is that somebody is on the site clicking around and after 'X' minutes gets logged out automatically.

[ignace]

A session's live depends on the sole existence of a cookie on the client browser which contains the session id. If this cookie is removed or expires, the session is ready for garbage collection. You can extend the lifetime of the cookie by using:

 

session_set_cookie_params($sessionLifetimeInSeconds);

 

Now your cookie (and your session) will live as long as $sessionLifetimeInSeconds defines. By default the cookie's lifetime equals 0 which means that if you close your browser, the cookie is removed and the session expires.

 

What the actual purpose is of session_cache_expire() I don't know, the description says: "session.cache_expire specifies time-to-live for cached session pages in minutes" Are they referring to real pages, like html? Or to the session files that are created in the temporary directory?

[cleibesouza]

Yeah, I know about the session and cookie thing. But my question still lives.

Is it possible to automatically expire a session of an INACTIVE user after 'X' minutes?

[ignace]

So, if I understand correctly you're saying there's no mechanism to expire session variables if an user IS INACTIVE for a certain period of time. I don't want to log somebody out after 'X' time. I want it to happen if they're INACTIVE after 'X' minutes. What I don't want to happen is that somebody is on the site clicking around and after 'X' minutes gets logged out automatically.

 

Sure their is:

 

if (!isset($_SESSION['last_click'])) {
    $_SESSION['last_click'] = time();
} else if ((time() - $_SESSION['last_click']) > 300) {//inactive for 5 minutes
    $_SESSION = array();
} else {
    $_SESSION['last_click'] = time();//update last_click
}

[cleibesouza]

I always thought one of the features of sessions were to expire themselves if an use is inactive for 'X' minutes. Didn't think we had to write code for it.

 

Any thoughts on that?

[ignace]

I always thought one of the features of sessions were to expire themselves if an use is inactive for 'X' minutes. Didn't think we had to write code for it.

 

Any thoughts on that?

 

Session's don't expire themselfs, however they do expire:

- When a user closes his browser (destroying the session cookie)

- When session_destroy() or session_write_close() is called.

[patrickmvi]

Sessions do expire on their own.  It all depends on how you have your session settings set up.  It is based on these settings:

 

session.save_path

session.gc_probability

session.gc_divisor

session.gc_maxlifetime

 

Depending on how you have session.save_path configured, it will either automatically expire sessions for you or not, read up on that here:

 

http://us3.php.net/manual/en/session.configuration.php#ini.session.save-path

 

If you do have it set up to automatically do the garbage collection (gc), then every time a script is run on your system, it will look at the session.gc_probability and session.gc_divisor variables and there will be a session.gc_probability in session.gc_divisor chance (ex: 1 in 100) that the garbage collection routine will run.  If it does run, then it will delete (expire) all sessions which having been accessed in session.gc_maxlifetime seconds.

[ignace]

If it does run, then it will delete (expire) all sessions which having been accessed in session.gc_maxlifetime seconds.

 

That's not true. If you modify session maxlifetime then your session will expire (garbage collected) even if you were clicking the hell out of your mouse. You can only expire a session due to inactivity programmatically, like I explained here: http://www.phpfreaks.com/forums/index.php/topic,262461.msg1236391.html#msg1236391

[patrickmvi]

That's not true. If you modify session maxlifetime then your session will expire (garbage collected) even if you were clicking the hell out of your mouse. You can only expire a session due to inactivity programmatically, like I explained here: http://www.phpfreaks.com/forums/index.php/topic,262461.msg1236391.html#msg1236391

 

I stand by what I said as that is the purpose for garbage collection.  You can force the garbage collection routine to run as often as you want by playing with the session.gc_probability and session.gc_divisor routines.  If you want GC to run EVERY time (a waste of resources on a busy site) you would set both to 1 and then it would always run and always expire sessions.  I don't agree that the only way to expire sessions is via your php application.  If you set up session.save_path to where GC is turned off (which is what I normally do) you can then set up a cron on your server that would check for sessions older than whatever you want and have them deleted whenever you're determined they have expired.  This does not have to be related to PHP in any way but still works well.

[ignace]

If you set up session.save_path to where GC is turned off (which is what I normally do) you can then set up a cron on your server that would check for sessions older than whatever you want and have them deleted whenever you're determined they have expired.  This does not have to be related to PHP in any way but still works well.

 

In my opinion that is what garbage collection does and I fail to see how this will expire a session due to the user not clicking within a certain interval (for example 5 mins). You suggest to set the maxlifetime to 5 mins meaning that both active and idle users will have to re-login after 5 mins regardless of which garbage collection method you use.

 

As this was the actual question:

 

..My understanding is that if the user is logged in (session started) and for some reason doesn't do anything on the site for 'X' minutes, the user's session should expire..

 

 

[cleibesouza]

This is quite interesting. I just got off the phone with my server administrator and she says that the session.gc_probability and session.gc_divisor are both set to 1.

 

Yesterday I added this

ini_set("session.gc_maxlifetime", 1)

to my application and indeed the sessions expired after 1 min. Of course I used 1 min. for testing purposes, but I don't believe I should be adding this, although it isn't a big deal, but the server should be taking care of this for me.

[patrickmvi]

In my opinion that is what garbage collection does and I fail to see how this will expire a session due to the user not clicking within a certain interval (for example 5 mins).

 

session.gc_maxlifetime is based on the date/time the session file in question was last modified.  Every time you load a page that has anything to do with sessions, it will update the date/time of the session file.  The only way it wouldn't happen is if you only start your session on certain pages of your site.  Most sites always start the session once a user is logged in to keep track of things so this all works itself out.  So if you don't do anything on the site for 10 minutes and you have session.gc_maxlifetime set to 600, then the next time the GC routine runs, the session will be erased.

[ignace]

What do you mean by:

 

..but the server should be taking care of this for me.

 

If you mean that the server should clean expired sessions up for you then he does. If you mean that the server should expire a session because a user didn't click for x minutes then he doesn't.

 

Session support in PHP consists of a way to preserve certain data across subsequent accesses

 

If you want to expire a session because a user didn't click for x minutes, then you need to write this functionality.

[ignace]

Most sites always start the session once a user is logged in to keep track of things so this all works itself out.  So if you don't do anything on the site for 10 minutes and you have session.gc_maxlifetime set to 600, then the next time the GC routine runs, the session will be erased.

 

If you set session.gc_maxlifetime to 600 your session will expire in 10 minutes regardless of your activities.

[cleibesouza]

If you set session.gc_maxlifetime to 600 your session will expire in 10 minutes regardless of your activities.

 

Questionable. Yesterday I wrote this ini_set("session.gc_maxlifetime", 1); to one page. Clicked during 1 minute, everything went fine. No expiration. Then I sat for another minute doing nothing on the site and the session expired.

[ignace]

ini_set("session.gc_maxlifetime", 1);

 

maxlifetime is defined in seconds.

 

However, by default garbage collection runs randomly, so you cannot rely on it to end sessions when you expect.

 

You defined 1 second as the maximum lifetime however you could browse the website for 2 whole minutes. Garbage collection runs sporadically as you previously said it expired after exactly 1 minute and now after 2 minutes. However like I said maxlifetime is not the thing you are looking for as it will expire all sessions regardless of activity.

[cleibesouza]

hmm... so, are we back to square 1? The only way to do it is programmatically?  If that's true, it's surprising to me!  :-\

[PFMaBiSmAd]

I just got off the phone with my server administrator and she says that the session.gc_probability and session.gc_divisor are both set to 1.

Yes, but what does a phpinfo() statement show for their actual values? Just because someone thinks they have set a value somewhere does not mean that value is in effect.

 

Where are you placing the ini_set("session.gc_maxlifetime", x) code at in your script? It would need to be before every session_start() statement in every script to have an effect. It should in fact be set globally in a php.ini/.htaccess file and if your server is setup to automatically start sessions in php.ini it would only have an effect if it was set in the php.ini as well.

 

And as already stated in my 1st reply in this thread, don't use the underlying operation of the session to log someone out. A session is just a container that holds variables between page visits. When you screw around with how the session operates by using a short session.gc_maxlifetime to log someone out, you prevent sessions from being used for any other purpose. It is your application code that should determine the inactive period and take appropriate action when the last access time is greater than a value you choose.

 

What exactly are you trying to accomplish. The subject of automatically logging someone out after a specific period of inactivity or of showing who is on-line/logged in has been discussed countless times in every php programming forum around.

[cleibesouza]

Here's an example of what I'm trying to do.

My app has some areas that need log in. Let's say an user is logged in and leaves to lunch. When coming back after 20 min. he/she should be able to go to any page that doesn't need log in, but if they decide to go back to a login protected page, they should be sent to the login screen. This should happen ONLY IF they're inactive for over 20 mins. Keep in mind that this app already has a logout link, so no need to go there.

What I thought could happen is php expiring that session after a certain time if user is inactive without me having to check.

 

Here are some vars from my php.ini file:

 

session.gc_divisor => 1000 => 1000

session.gc_maxlifetime => 1440 => 1440

session.gc_probability => 1 => 1

 

I'm checking other posts for a solution to this. I honestly thought this would be much easier to accomplish. 

 

Thanks.