why does this code fail to set the session expiration properly?

[bitt3n]

I am experiencing a strange problem when I try to get a session to persist for 100 days. I set the session to last for 100 days using the code below, but the session appears to last ~30 minutes only. One of the comments in PHP.net suggests updating a couple of ini settings (see first two lines of below code), but that still does not prevent the session from expiring prematurely. I also tried manually setting the expiration for PHPSESSID in addition to calling session_set_cookie_params(), but the session still expires early. I would be most grateful for any suggestions. Here is the code I am using:

 

ini_set("session.cache_expire","100*24*60*60"); // default is 180, which is 3 hours...

ini_set("session.gc_maxlifetime","100*24*60*60"); // default is 1440, which is only 24 minutes
     
$timeout100days = time()+100*24*60*60;
$timeoutToday = mktime('23','59','59', date('m'), date('d'), date('Y'));
$expire = time()-1800;

if (!empty($_COOKIE['login_temp']) && !empty($_COOKIE['PHPSESSID'])) {
     if ('not_public_terminal' == ($_COOKIE['login_temp'])) {
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeout100days, '/', 'kinostat.com');
          session_set_cookie_params($timeout100days, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'not_public_terminal\', cookie params set to 100 days.</p>');
     } else { // if login_temp is not FALSE
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'public_terminal\', cookie params set to 0 days.</p>');
     }
} else { // if login_temp not set
     if (!empty($_COOKIE['PHPSESSID']))
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is NOT SET, cookie params set to 0 days.</p>');
}

[Jessica]

From the manual:http://us3.php.net/manual/en/ref.session.php#ini.session.gc-maxlifetime

 

Note: If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.

 

I think you'll need to set it in the php.ini, or on every single page, in order for it to work.

[bitt3n]

hm.. that code is on every single page, so I should be OK there, but I am on a shared host saving the cookies in /tmp, so maybe other people are running scripts that are killing my sessions? Could that be the problem? In which case is the best thing to save my sessions to another directory that I know that no one else will be using?

[camdagr81]

each /tmp directory should be explicit to your hosting account. I've read somewhere (can't remember) that the host pc time could affect the session expiration. But I'm not sure in what way.

[Jessica]

Can you use an htaccess file to set it? Perhaps that would work?

[bitt3n]

ok, I've made some progress. Apparently someone else's script on the shared server or a server cleanup routine is killing my sessions stored in the /tmp directory. I changed the sess id save path to

 

session_save_path("./tmp");

 

to store it in the root directory of my folder on the shared server (so the sessions are no longer saved in "/tmp", which is above this directory), and now the sessions appear to be persisting properly.

 

I still have the following problem though: php is running as the user:group "dhtml:dhtml" whereas the user:group for my folder on the shared server and all folders within my folder is "username:username", and thus "dhtml" does not have permission to access the "./tmp" directory unless I CHMOD 777 the directory.

 

My hosting provider doesn't provide SSH access on the shared server. I assume SSH access is necessary to grant "dhtml" access to the ./tmp directory, and that I should therefore contact my hosting provider and ask them to set the permission for me. Is my understanding correct, or is there some way for me to do it myself without SSH? (I can CHMOD the directory via FTP, but my FTP program doesn't seem to allow me to change the group/user assigned to a given folder.) Thanks for your help.

 

[Jessica]

I'd just contact them and explain the problem. Who is your host?

[bitt3n]

cartikahosting.com

[bitt3n]

hm.. my hosting provider's support responded with "just CHMOD 777 the directory". Am I correct in believing that giving open permissions to a directory containing session data is dumb?

[camdagr81]

LOL that's very dumb, and even dumber is them telling you to mod the dir. You're doing it the right way by saving to a local temp folder, I would see about adding those file types to the htaccess though so that your information isn't phishable.

[bitt3n]

LOL that's very dumb, and even dumber is them telling you to mod the dir. You're doing it the right way by saving to a local temp folder, I would see about adding those file types to the htaccess though so that your information isn't phishable.

I just put an .htaccess file in the new /tmp directory with "Deny From All" so that people can't view the session data. Is that enough to prevent access, or is there something more I can do? thanks.

[camdagr81]

That should do. Maybe add an index.php that sends the header to your main page:

//Body of index.php in that directory
<?php 
header("Location: http://www.yoursite.com");
?>

 

This will prevent anyone trying to get the directory structure of your folder. You should add that in all folders that don't have an index.html/php etc in them.