Jump to content

why does this code fail to set the session expiration properly?


bitt3n

Recommended Posts

I am experiencing a strange problem when I try to get a session to persist for 100 days. I set the session to last for 100 days using the code below, but the session appears to last ~30 minutes only. One of the comments in PHP.net suggests updating a couple of ini settings (see first two lines of below code), but that still does not prevent the session from expiring prematurely. I also tried manually setting the expiration for PHPSESSID in addition to calling session_set_cookie_params(), but the session still expires early. I would be most grateful for any suggestions. Here is the code I am using:

 

ini_set("session.cache_expire","100*24*60*60"); // default is 180, which is 3 hours...

ini_set("session.gc_maxlifetime","100*24*60*60"); // default is 1440, which is only 24 minutes
     
$timeout100days = time()+100*24*60*60;
$timeoutToday = mktime('23','59','59', date('m'), date('d'), date('Y'));
$expire = time()-1800;

if (!empty($_COOKIE['login_temp']) && !empty($_COOKIE['PHPSESSID'])) {
     if ('not_public_terminal' == ($_COOKIE['login_temp'])) {
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeout100days, '/', 'kinostat.com');
          session_set_cookie_params($timeout100days, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'not_public_terminal\', cookie params set to 100 days.</p>');
     } else { // if login_temp is not FALSE
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'public_terminal\', cookie params set to 0 days.</p>');
     }
} else { // if login_temp not set
     if (!empty($_COOKIE['PHPSESSID']))
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is NOT SET, cookie params set to 0 days.</p>');
}

Link to comment
Share on other sites

From the manual:http://us3.php.net/manual/en/ref.session.php#ini.session.gc-maxlifetime

 

Note: If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.

 

I think you'll need to set it in the php.ini, or on every single page, in order for it to work.

Link to comment
Share on other sites

hm.. that code is on every single page, so I should be OK there, but I am on a shared host saving the cookies in /tmp, so maybe other people are running scripts that are killing my sessions? Could that be the problem? In which case is the best thing to save my sessions to another directory that I know that no one else will be using?

Link to comment
Share on other sites

ok, I've made some progress. Apparently someone else's script on the shared server or a server cleanup routine is killing my sessions stored in the /tmp directory. I changed the sess id save path to

 

session_save_path("./tmp");

 

to store it in the root directory of my folder on the shared server (so the sessions are no longer saved in "/tmp", which is above this directory), and now the sessions appear to be persisting properly.

 

I still have the following problem though: php is running as the user:group "dhtml:dhtml" whereas the user:group for my folder on the shared server and all folders within my folder is "username:username", and thus "dhtml" does not have permission to access the "./tmp" directory unless I CHMOD 777 the directory.

 

My hosting provider doesn't provide SSH access on the shared server. I assume SSH access is necessary to grant "dhtml" access to the ./tmp directory, and that I should therefore contact my hosting provider and ask them to set the permission for me. Is my understanding correct, or is there some way for me to do it myself without SSH? (I can CHMOD the directory via FTP, but my FTP program doesn't seem to allow me to change the group/user assigned to a given folder.) Thanks for your help.

 

Link to comment
Share on other sites

LOL that's very dumb, and even dumber is them telling you to mod the dir. You're doing it the right way by saving to a local temp folder, I would see about adding those file types to the htaccess though so that your information isn't phishable.

Link to comment
Share on other sites

LOL that's very dumb, and even dumber is them telling you to mod the dir. You're doing it the right way by saving to a local temp folder, I would see about adding those file types to the htaccess though so that your information isn't phishable.

I just put an .htaccess file in the new /tmp directory with "Deny From All" so that people can't view the session data. Is that enough to prevent access, or is there something more I can do? thanks.

Link to comment
Share on other sites

That should do. Maybe add an index.php that sends the header to your main page:

//Body of index.php in that directory
<?php 
header("Location: http://www.yoursite.com");
?>

 

This will prevent anyone trying to get the directory structure of your folder. You should add that in all folders that don't have an index.html/php etc in them.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.