Expiring SESSIONS

[Landslyde]

I don't know how to fix this. In the php.ini, I have sessions set to auto-start, cookie lifetime and session lifetime both set to 5000 seconds. Thing is, even while I'm doing work (on my site) and have a session started, the session still times out after 15 minutes or so. I've been working on displaying an HTML table with MySQL data all night. I can't count the times that I was sent back to the login page because the session had expired.

 

When the user logs in, I set a session var to their memberID. And on the work pages, I check that each time the page loads:

<?php
   if ($_SESSION["memberid"] == "") {
     header("Location: client.php");
   }
?>

I'm new to php, so I'm only guessing the session's expiring due to the memberid session var emptying. Being in the middle of work, having a page load new data, only to be sent back to the login screen time and time again. Does anyone know how I can fix this issue? Many thanks for your time.

[mac_gyver]

have you confirmed that the session settings you have set are actually in effect, using a phpinfo(); statement in a .php script file?

 

are you on shared web hosting and are using the common/default shared session.save_path setting? if so, your session data files are in the common /tmp location and the shortest session.gc_maxlifetime setting of all the scripts running on the shared web server is what controls which files are deleted when session garbage collection runs. if this is the case, you need to set your own session.save_path setting so that your session data files are only affected by your session settings.

 

also, you need an exit; statement after your header(...); redirect statement to prevent the remainder of the code on your page from running. as it is, your 'protected' code still runs every time you page gets requested when you are not logged in, which can cause untended side affects, such as values changing/being cleared, and anyone can still access your protected pages by simply ignoring the header redirect.

[Landslyde]

mac_gyver:  Thanks for your response. I'll add the 'exit();' as you suggested. As for my hosting, I'm on a VPS, running Virtualmin for my web site.

Options for PHP session tracking
Session storage mechanism 	 Files
Directory for session files 	 Default (/tmp)    /home/dfwit/tmp <== Selected
Allow use of cookies for session tracking? 	Yes 
Always use cookies for session tracking? 	Yes
Cookie lifetime 	         Forever        5000 seconds  // Forever in not selected
Maximum session lifetime 	 Forever        5000 seconds  // Forever in not selected

No one else is on my VPS. What else do I need to look for? Something is making the sessions end prematurely.

[mac_gyver]

have you confirmed that the session settings you have set are actually in effect, using a phpinfo(); statement in a .php script file?

 

 

if the information you posted above is a control panel that's modifying the master php.ini, the settings won't take affect until you stop/start the web server. and you still must check what settings php is actually using by using a phpinfo() statement, as things like syntax errors in the php.ini and the wrong php.ini being used, will cause default php settings to be used, not the ones you have set.

[Landslyde]

mac_gyver: have restarted apache again. Here are my settings per phpinfo:

session
Session Support 	enabled
Registered save handlers 	files user
Registered serializer handlers 	php php_binary wddx

Directive	          Local Value	     Master Value
session.auto_start	   On	              On
session.cache_expire	   180	              180
session.cache_limiter	   nocache	      nocache
session.cookie_domain	   no value	      no value
session.cookie_httponly	   Off	              Off
session.cookie_lifetime	   5000	              5000
session.cookie_path	   /	              /
session.cookie_secure	  Off	              Off
session.entropy_file	  /dev/urandom	      /dev/urandom
session.entropy_length	  32	              32
session.gc_divisor	  1000	              1000
session.gc_maxlifetime	  5000	              5000
session.gc_probability	  1 	              1
session.hash_bits_per_character	5	      5
session.hash_function	  0	              0
session.name	          PHPSESSID	      PHPSESSID
session.referer_check	  no value	      no value
session.save_handler	  files	              files
session.save_path	  /home/dfwit/tmp     /home/dfwit/tmp
session.serialize_handler   php	              php
session.upload_progress.cleanup	On	      On
session.upload_progress.enabled	On	      On
session.upload_progress.freq	1%	      1%
session.upload_progress.min_freq   1           1
session.upload_progress.name	PHP_SESSION_UPLOAD_PROGRESS	PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix	upload_progress_	upload_progress_
session.use_cookies	   On	              On
session.use_only_cookies   On	              On
session.use_trans_sid	   0	              0

See anything out of whack?

[mac_gyver]

the settings all look okay.

 

at this point i would suspect either a coding problem (code is running that clears the session) or the host-name/sub-domain name is changing in the url's (with no session.cookie_domain setting, the session id cookie will only match the variation of the domain name where it was set at, so if you are switching around between url's that have and don't have the www. as part of them, the session will alternate and only appear when the requested domain matches where the session was started.)

 

other than obvious coding problems (like missing exit; statements after header() redirects that lets code run that modify session variables or logout code that gets ran just because a page on your site got visited) you will need to debug what's actually going on.

 

you will need to look at the session id cookie in your browser to make sure it is set and what the session id is, echo the session id in your php code, to make sure it matches what's in the session id cookie, and even look at the contents of the session data file, that has the same name as the session id, to see when the data in it gets deleted.

 

also, do you have any sort of session regenerate or session destroy statements in your code that could be messing with the session data? does your login code check if someone is already logged in and skips processing the request and does it check if a form has been submitted? it may be that the browser is requesting the login page, without any form data, thereby not matching any user and clearing the session variables. do you have any sort of ajax based requests going on that could be doing this in the background?

 

edit: btw - the session cookie lifetime only matters if you expect the session cookie to be remembered by the browser when all instances of your browser are closed. the session gc_maxlifetime is the setting that could be causing the problem, in which case the session data file itself will be missing (looking for the actual session data file will help to pin down if the file's being deleted or if code is clearing the session variables.)

[Landslyde]

mac _gyver:

 

I'll check all you suggested. Really appreciate your input and advice on what to test, etc. I can tell you now that the only call to a session destroy is by actually clicking 'Logout' on the menubar, taking the user to a logout page that unsets, destroys, the redirects to the index page. No, this is more like the session timing out, or, like you say, the sessionID somehow changing and not matching up with the cookieID. Since I've shown you all my php settings and you see nothing awry, then it sort of boils down to my coding. And that wldn't surprise me. Thanks for your help. Seriously appreciated.