Session keeps expiring

[optikalefx]

I have session_start() at the top of every page.  For some reason if I wait for more than a minute on any page, when I go to refresh the page it kicks me out. I have specific code that tests for a certain session variable, if it doesn't find it, then it kicks the user out.  So why does waiting expire the session?  If i just wait 30 seconds or so and refresh it works fine, but if i wait 2 or 3 minutes then when i refresh the session variable im checking for is gone.

 

I checked the PHPSESSID and there is no expiration on the cookie.

[PFMaBiSmAd]

Are you on a shared web server?

[optikalefx]

Its possible, I use Powweb which has a ton of customers and I didn't pay extra for my own box, so I can only assume its shared.

[PFMaBiSmAd]

When session.save_path is set to the default common tmp location, the shortest session.gc_maxlifetime setting of all the scripts running on your server wins. Some misguided _______ (insert favorite expletive) probably set it to a short value in an attempt to get the underlying operation of session garbage collection to end sessions.

 

You need to set session.save_path to a private folder within your account's folder tree. Ideally the folder should be outside your document root folder (closer to the disk root) so that someone who guesses the folder name cannot browse to the session data files. If this option is not available and you must put the folder inside of your document root folder, you need to put a .htaccess file in the folder to prevent all HTTP requests to the files in the folder.

 

You must set the session.save_path setting before every session_start() statement. It is best to globally set this in a .htaccess file (when php is running as an Apache Module) or in a local php.ini (when php is running as a CGI application.)

 

Once your session data files are being stored in your own folder, the other accounts running on the server cannot affect your session data files.

[optikalefx]

Thanks! I didn't know you could set your own session folder.  This is also a great way to test that I'm getting all my required information.

 

The php.ini file says I have to do my garbage cleaning with a cron job.  Do I really have to do that or will it do that when i destroy the session?

[PFMaBiSmAd]

Session garbage collection is built-in and randomly runs based on session.gc_probability and session.gc_divisor -

 

session.gc_probability integer

session.gc_probability in conjunction with session.gc_divisor is used to manage probability that the gc (garbage collection) routine is started. Defaults to 1. See session.gc_divisor for details.

 

session.gc_divisor integer

session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.