Unexpected session timeouts

[kgenly]

I'm not sure if this is the correct part of the forum for this question, but it was my best guess!

 

I run a website that allows users to create profiles for characters they have thought up and like to play with. It's sort of like myspace for roleplayers.

 

My users have been complaining that they are being logged out of my site even when they are using it actively. I ran some tests to see what the problem might be, and eventually discovered that sessions are expiring unexpectedly.

 

The default for my host appears to be that sessions are meant to expire after 180 minutes (3 hours) of inactivity, so I ran a test where I logged into my site, then set a timer and let my browser sit idle for two hours. I then used my site again, making edits to profiles and whatnot, which I expected to reset my session's life for another three hours. However, when my timer went off after two hours and I tried again, I discovered my session had expired and I was logged out of my site. As far as I can tell, logging in sets the session to expire in three hours, regardless of whether the user is still actively using the site or not. (There is a PHP session_start() call at the top of each of my pages).

 

After doing a lot of searching, I had the theory that the garbage collector was checking not the last time of access, but the last time of modification, so I added to the top of every page something that changed a variable in the session every time a page was loaded. When I ran the test again, I was unable to make it to the first two hour mark, let alone the second. I ran this test twice more and had the same issue. Why would editing the session result in it being shortened??

 

I've also tried putting a session_cache_expire() call before each session_start() that was set to extend the cache expiration out to about a week, but it didn't seem to have changed anything.

 

I don't understand this behavior at all. I asked my host why my sessions were expiring early and never being extended through use or modification, but all they said was that it was expected PHP behavior and I should ask someone to help me with PHP. Granted, I'm a fairly green programmer, but this isn't the behavior I expected, and not the behavior that seems to be described in the manual, unless I am reading it completely wrong.

 

Does anyone have any thoughts? This issue has resulted in my receiving lots of ugly hate mail from people who had their work eaten when they tried to submit something only to discover they'd been logged out while they were typing their monster posts, and is souring the atmosphere in a community that is otherwise really enthusiastic. Any help would be greatly appreciated!

[PFMaBiSmAd]

Are you on a shared web server and your session.save_path setting is the default setting (typically /tmp)?

[kgenly]

Yes, and yes.

 

I just found some information saying session_cache_expire() has nothing to do with the life of the session and is just something sent in the headers about how long it's safe for browsers to cache something. How confusing! It still doesn't really explain to me why my sessions were expiring faster when I was making random changes to one of the variables. I'm testing

 

ini_set("session.gc_maxlifetime", "18000"); 

 

before my session_start() right now, as that was suggested to me elsewhere.

[PFMaBiSmAd]

When your session data files are stored in with all the other session data files (using the default session.save_path) the shortest session.gc_maxlifetime of all the scripts running on the same server WINS. Some misguided individual has probably set his session.gc_maxlifetime to a fairly short value in an attempt to log users out instead of properly handling this in his application.

 

You need to set session.save_path to  point to a 'private' folder within your account's folder tree.

 

The best way is to set it to a folder that is outside your document root folder (closer to the disk root) so that no one can possible browse to the session data files. If this option is not available, you will need to create a folder inside your document root folder and you should take steps to prevent http requests to the files in the folder (assuming an Apache web server, you can put .htaccess file in the folder to deny all http requests.)

 

You must set the session.save_path setting before every session_start() statement. It is best if you put global settings like this into a local php.ini (when php is running as a CGI application) or in a .htaccess file (when php is running as an Apache Module.)

[kgenly]

Sorry, I think I was confused about the question.

 

There is one physical server that I share with others, but each user has their own 'virtual' machine within that, so it's just me using the tmp file in question.