sessions dying very soon for some reason

[Ninjakreborn]

I actually have a few questions and one problem on sessions, I am getting a lot more advanced with sessions, it won't be long before I start playing with custom session handling but not yet.

First I will ask a few questions, then bring up my problems.

[b]Questions[/b]

1.  I know there are multiple choices for saving state, sessions, cookies, and other things.  I have my website over at freelancebusinessman.com and I am trying to set up some ideas.  So far right now I have a administration page wired throughout the whole site, allowing me to do various things on it, and access various areas other people can't like: personal files, code I reuse that I created, tutorials that I am building, ex cetera. I use sessions for that, what happens if I wanted to add another system into the site, like wanted to start selling something, or allowing a members only section, I don't want them intermingled do I.  Or should I use cookies for my admin sections, and sessions for user logins, or just use different session areas.  Or if I create member sections can I create the member login wherever, but have it take them to another folder.  Like if I had a folders called members, and that was where I kept all my member information, then I had a php.ini file put int here with session information woudl it be different.  Would the sessions be saved in 2 different file locations, one for the rest of my site, and one for that one folder.  I might have multiple login areas eventually.  See I will always have the admin area, I will just increase it and make it bigger and bigger, throughout the entire site, even the other member areas.  BUt I might eventually have 6-9 different member related pages, but all of those pages might require different signup's with different logins, and completely different systems.  For instance(JUST EXAMPLES), say I first start off having a link leading to a login for selling templates, it's an entire system, they have to sign up to gain access, then they get into the area, where I sell or give away templates or somethign similar.  This link to the sectionw ould be on my homepage or something.  Then I might have aother link going to another members section that has a form I create as a test, but they have to register, and login seperately.  Then I have another link on my homepage going to another page, called playground.  Like I create an open source playground area for people to play with various languages while theya re learning.  But you have to register and sign in seperately, from the other sections.  THen I might have over here on the homepage another link that takes you to a test thing I am creating to sell auctions things like on ebay, if I wanted to create a test program to see how it goes, but thato ne required another registration and login.  And on and on, and so forth, but kept buildigng other member sections( I am not sure what all I amgoign to do with my site), but throughout all of the site, including all of these area's I still have my administration system, I login once and get administration access through the entire site, so far using sessions.  How would I set up each of these sections of the site differently, I know I can create a different databsae for each section, because some might have messaging systems, then I know all of that, but how will I handle login, with each of these member areas, all on the same domain, essentially all the same website, just different sections of the website.


[b]Problem[/b]
This was just something I was having a problem with, on my administration login, I have session_start(); on every page, everything runs smoothly, but the session keeps dying very quickly and i have the number of seconds to a very, very high number, I think it's killing my session file itself prematurely, because I know the cookie is still there, I see it trying to string the thing onto the url automatically, but for some reason after awhile it doesn't stay logged in, does it have something to do with my garbage collection, here's my php.ini file that show's this.



[quote][Session]
session.save_handler      = files  ; handler used to store/retrieve data
session.save_path        = /tmp    ; argument passed to save_handler
                                    ; in the case of files, this is the
                                    ; path where data files are stored
session.use_cookies      = 1      ; whether to use cookies
session.name              = PHPSESSID 
                                    ; name of the session
                                    ; is used as cookie name
session.auto_start        = 0      ; initialize session on request startup
session.cookie_lifetime  = 31536000      ; lifetime in seconds of cookie
                                    ; or if 0, until browser is restarted
session.cookie_path      = /      ; the path the cookie is valid for
session.cookie_domain    =        ; the domain the cookie is valid for
session.serialize_handler = php    ; handler used to serialize data
                                    ; php is the standard serializer of PHP
session.gc_probability    = 1      ; percentual probability that the
                                    ; 'garbage collection' process is started
                                    ; on every session initialization
session.gc_maxlifetime    = 6000    ; after this number of seconds, stored
                                    ; data will be seen as 'garbage' and
                                    ; cleaned up by the gc process
session.referer_check    =        ; check HTTP Referer to invalidate
                                    ; externally stored URLs containing ids
session.entropy_length    = 0      ; how many bytes to read from the file
session.entropy_file      =        ; specified here to create the session id
; session.entropy_length    = 16
; session.entropy_file      = /dev/urandom
session.cache_limiter    = nocache ; set to {nocache,private,public} to
                                    ; determine HTTP caching aspects
session.cache_expire      = 180    ; document expires after n minutes
session.use_trans_sid    = 1      ; use transient sid support if enabled
                                    ; by compiling with --enable-trans-sid

[MSSQL]
;extension=php_mssql.dll
mssql.allow_persistent = On ; allow or prevent persistent link
mssql.max_persistent = -1 ; maximum number of persistent links. -1 means no limit
mssql.max_links = -1 ; maximum number of links (persistent+non persistent).  -1 means no limit
mssql.min_error_severity =[/quote]

[trq]

I Just went and wrote a massive rant about how I impliment my permissions system based on the same concepts that are used in Linux. When reading my spill back it became clear that my message was probably going to be more confusing then helpfull.

Anyway... if you know anything about Linux, think about how its permissions are implimented. Multiple users can all share the same computer at the same time, but you need to belong to certain groups to gain access to certain directories. Files need to have the correct permissions for you to be able to read or write to them.

You can easily setup a website to use these same basic principles, and if you do so based on the Linux system you will find it enormously flexable. I can have 10 different users all viewing the same section of my cms and all be seeing different data at the same time. Mods on a forum for instance could post private messages to other mods between regular users posts without the regular users ever seeing them. You can lock down by section or even down to single record, I really cant think of a more flexible approuch.

I wont go into the implimentation details but if you know anything about Linux permissions you will understand that they are a tried and true, secure and flexible system. If you dont know anything about them, you should find plenty of docs online describing there concepts.

of course this isn't the only approuch, but IMO is the most flexable, and any system is based on some sort of [i]groups[/i] or at its simplest maybe even different user [i]levels[/i].

As for your other problem. How fast is quickly? And is this occuring when you have long periods of idle time or while your browsing the site? Have you played with the defaults? They are usually pretty good to start with and will be sufficient in most cases.

[Ninjakreborn]

The only default I messed with is the one allowing the cookie to stay planted after the browser is closed.  It does but it's destroying my session file before the cookie does.

Also if you still have that rant you were typing, I would like to see it, it might be more helpful than you thought if you have it somewhere.

[Ninjakreborn]

bump

[SharkBait]

I didnt read the entire post my eyes started to bugger on me but...

My sites consist of userlevels.  Each level can do a different thing.

Level 1's can edit things that they created
Level 3's can edit/add/delete things they or other people created and also access places that level 1's cannot.
Level 5's are the sysadmins (well me) I can do everything anyone else can do and more.  Level 1's and Level 3's cannot goto sections that Level 5's can.

All of this is done with by storing the User's level (from the database) into a session when they first login.  I do checks a various spots to see what they can or cannot access.

I only use 1 cookie in one of my sites. This helps me 'pass' the session over to a sub-domain.

As for your session dying.  Have you checked to make sure that the php.ini file is set properly for session timeouts?  I know my don't expire until the user closes their browser.  Perhaps the session is set another way? I know on my employer's website they last until you close the browser, but one of our internal servers, the session is set to last 4 hours.

[yyboo]

I have been reading up on this very subject for two days, searching and searching for an answer to why my own sessions will not last past 24 minutes, to no avail.. I've tried setting everything in phpinfo()... I saw one post where  a guy actually had a problem because his session WOULDN'T quit... I have sent him a message and begged him for code.. I wish I had that problem.. I'm just at my wits end and ready to open a vein..... ack!
I used
ini_set("session.cache_expire","10800");
ini_set("session.gc_maxlifetime","10800");
ini_set("session.cookie_lifetime","36000");
session_save_path("/sessfoo");
.....to no avail. I am new to sessions, but boy is it a tough nut to crack. I log in, great, all settings are fine, I refresh great everything likes me, I wait 30 minutes and refresh, bumped out back to log in screen...  I'm going now to crawl in bed and pull the covers over my head.. -Sally

[Ninjakreborn]

I even wrote a huge tutorial on sessions/cookies on my sites, I thought my research uncovered all, but I don't understand what is causing this erratic behaviour, there must be somethings causing it we do not know.  I will do some research on these issues, if you find out anything, or if anyone knows something it would help, I listed my php.ini file in my post.

[poirot]

Are you sure the session data itself is being destroyed prematurely?
Since you are using files to store them, you can know this by looking at the session folder (session.save_path) and check if the file is still there. The session file is named after the session id.

Likely, the session data is not being destroyed, but the session id not being propagated correctly. You can check that by printing the session_id on every page, if you notice that it changes, you have a problem with propagation.

And also it may be a browser related bug; check it with Mozilla Firefox and if it works correctly, you should add the following header:

[code=php:0]header("Cache-control: private");[/code]

[Ninjakreborn]

I will try this out, the thing I don't get though is it's trying to string the session onto it, I login, it works fine, even after closing hte browser and reopening it, but when I come back, when it should still have a long ways to go, I am not logged in later on.  I see it's trying to add a session id to the string, because it appears there sometimes, but the session is not doing anything with the id.