PHP session randomly dying (Nginx)

[tonyfriz]

I'm working with an issue I've been dealing with for months because there're no hints towards what exactly is the problem.

Essentially, my PHP session is randomly dying (or so it seems). I've a user authentication system built which is rather simple. I store the user's email in $_SESSION['email'] and their hashed password in $_SESSION['hashed_password']. I'm running nginx 1.14 and PHP 7.4. I have my session lifetime set to 150 seconds (which is not the problem, the session is dying within 1 minute of logging in). I've even changed the session data directory to a custom folder by changing session.save_path.

Basically, I login to my system and start randomly clicking around from page to page. After 15-60 seconds, I randomly am kicked out of my system. The page it occurs on too seems random. From logging variables, I see that $_SESSION['email'] and $_SESSION['hashed_password'] are suddenly empty (which I've obviously programmed a response to which is to send the user back to the login page). I'm not calling session_destroy() anywhere. The amount of clicking around required to trigger the sessions's death is unpredictable. It can happen right away or it can take a few moments.

I realize I'm not presenting a lot of information but this is really all I have to go on. I've read and reread my user class and there's nothing anywhere that would randomly trigger the session to become destroyed. I've even set $_SESSION['random_int'] to make sure it's not from me logging the user out and that too is empty when this behavior occurs.

I appreciate any help.

[mac_gyver]

are there any ajax requests being made to a page that is also using session variables? what if any is the 'logout' code? can the logout code be reached by any other code not die'ing after a redirect?

the quickest way of eliminating a lot of guessing is to just post the code, so that the problem can be narrowed down to just a few things that can be investigated further.

[tonyfriz]

I was able to determine the problem. session.cookie_lifetime needed to be set to 0. After changing that and restarting the fpm, the "random" logouts have stopped.