[SOLVED] Can I make sessions last longer?

[Chappers]

Hi,

 

I've made a basic website where users can log in, and for that I'm using sessions with session_start(); but unfortunately the user is logged out after only a few minutes, and has to log back in again.

 

Can I extend this time, or better still make it keep the user logged in until they either log out or close the page?

 

If the answer to that is that only cookies would achieve what I'm after, could a brief guide on setting them up be given, or the URL for a good tutorial please?

 

Thanks,

James

[cooldude832]

well your session should reset the timmer each time they refresh a page wtih session_start(); so if they are inactive for 5 minuites then yes they die.  you can up this in your php.ini, or if you want you can use cookies

[Chappers]

Since I'm using a free host for the timebeing and so don't have access to php.ini, can I do it through .htaccess, as I have done in order to turn off magic quotes with "php_flag magic_quotes_gpc Off"?

 

If I can, then could you please tell me the code I need to put in .htaccess to extend the timeout rate?

[cooldude832]

don't know if you can, but there is a js workaround, what you do is have a continuous function that checks for a keystroke or mouse position, if nothing happens in 4 minutes 30 seconds you can refresh the page via a meta refresh to refresh the session. 

 

Or you use cookies.

 

I am sure a .htaccess mod can do it, it could be

"php_flag session.cache_expire 3600"

 

that should set the session to be 1 hour (3600 seconds) before expiring

 

Untested thoguh

[PFMaBiSmAd]

Are these visitors getting logged out while their browser is still open or do you mean if they close their browser and reopen it and visit your site a short time later they are logged out?

 

If you want a long term "remember me" type of a log in, you will need to use cookies. http://php.net/setcookie

[Chappers]

Will try the .htaccess mod, thanks.

 

They're getting timed out while the browser is still open.

[Chappers]

The mod didn't work. I've since discovered that to change numerical values, the line is "php_value", not "php_flag". I'm using phpinfo() to make sure the changes are actually made - and they are.

 

Doesn't matter what I change php_value session.cache_expire, php_value session.cookie_lifetime, or php_value session.gc_maxlifetime to, it still makes no difference to when users get logged out.

 

I've looked up all the variables for sessions in the online PHP manual but not one is specifically identified as the one which keeps a session alive for a predetermined amount of time.

 

Any ideas anyone please?

[revraz]

Sounds like your host has an aggressive GC setting and a short timer.

[PFMaBiSmAd]

It sounds like the session is ending due to the deletion of the session data file on the server, when garbage collection runs.

 

On shared hosts, the script from all the accounts on that server with the shortest session.gc_maxlifetime will win and any session data files older than that shortest setting will be deleted when GC runs.

 

You should create your own session save folder (preferably below your doc root folder) and set session.save_path (in a .htaccess file or in your scripts before each session_start()) to point to that folder. Then the garbage collection routine will only operate on your files using your session.gc_maxlifetime setting. If you cannot place the folder below your doc root and you can only put it above your doc root, make sure you put a .htaccess file in it that denys all http/https web requests to files in it.

[Chappers]

Thanks for that information. I can only put the session save folder above the doc root one, so I'll need to add the .htaccess file you mentioned. Could you please tell me what I put in there to ensure no web rewuests to it?

 

Out of interest, I'd read on another website about the GC being roused by the shortest set time limit on shared hosts, but if that's the case for me, if I put my GC maxlifetime setting at something ridiculous like 5 seconds, that must be less than the current lowest one since my normal timeout is around 3 minutes, so why doesn't mine take precedence during that test and time me out after 5 seconds when I refresh the page?

 

Oh, one last question... do I use the full URL when stating the save path for my sessions folder?

 

Thanks for your help,

James

[PFMaBiSmAd]

Put the following in a .htaccess file in the folder that you want to prevent web access to -

 

order deny,allow
deny from all

 

The session.gc_probability and session.gc_divisor randomly determine when GC runs, so you might need to execute a number of session_start() statements before it would run and clean out files that are older than the session.gc_maxlifetime. You actually need to create more than one session to see any effect, because when you access a session, it updates the time information on the file and that would keep the file's age less than the session.gc_maxlifetime.

[Chappers]

By changing the session.gc_divisor to 1, I now know that although the default is 24 minutes for session.gc_maxlifetime, it's actually 5 minutes.

 

I can't seem to change session.save_path  as it's not changing on the php config page. It's still set to /tmp.

 

Is there a certain syntax for expressing where the folder to save to is? I've made the folder within my htdocs folder where all my other files and folders are. But, it seems that I can go up when I log on with FTP which then just displays the folder Htdocs, and up again from that to where it just shows a folder with my website name.

 

Would you please be able to tell me the correct format to use in the session.save_path to use if I put the session save folder in the place where I just have a folder with my website's name, and also how I'd put it if using the Htdocs folder where all my files and folders are? I'm using an .htaccess file, so it's in the format php_value session.save_path ...

[Chappers]

Anyone please?

 

I've tried many variations for the url of my folder for sessions, conveniently named "sessions", including getting the full server link for my site from the phpinfo() details.

 

php_value session.save_path sessions

 

php_value session.save_path /sessions

 

php_value session.save_path htdocs/sessions

 

php_value session.save_path /home/vol4/**hosting site's name**/**my username**/mysite.com/htdocs/sessions

 

but when I then check phpinfo() it shows:

 

php_value session.save_path /tmp

 

Could it be somehow made not changeable? In case it showed no change but was saving to the directory I'd set in .htaccess, I tried logging in and waiting, and it still logged me out in 5 minutes, although my session.gc_maxlifetime is set to 2 hours.

[revraz]

This is the one you want

 

/home/vol4/**hosting site's name**/**my username**/mysite.com/htdocs/sessions

 

But if the PHP.INI isn't saving it, you need to ask your host.

[Chappers]

Thanks, just sent them a message. I'll see what they say.

[Chappers]

Finally got some help from the hosting company. For whatever reason, trying to change it via an .htaccess file does not work, instead they told me I had to add the following to the top of every page (in my case, just my header.php file). I then found that the path had to be in the htdocs folder or it'd ignore the attempted change of path.

 

ini_set('session.save_path','/home/vol4/myhost.com/myusername/mysite.myhost.com/htdocs/sessions');

 

Still using an .htaccess file to set the session.gc_maxlifetime to my preferred quantity.

 

Oddly, I can put the save path location as a folder which doesn't exist, yet still log in to my site and stay logged in as I go from page to page...

[revraz]

If the host doesn't offer you your own .ini file, I personally would find a new host.