Session vars resetting

[jbreits]

I'm new to sessions, and found some sample login code on this site. It appears to work fine, index.php checks to see if the user is logged in, if not it sends them to login.php. The login form posts login data to itself where it then validates the login, if the login is good, it redirects to index.php. When index.php detects a logged in user, it simply displays the user's name.

The problem occurs after I 'log in' succesfully. I refresh my index.php page, everything ok, wait a while and refresh, ok, wait a while and refresh, it takes me to the login.php becuase the variable is either empty or no longer exists. I can't find a pattern in the number of refreshes or the amount of inactive time.

functions.php:
[code]
<?php

function secure () {
  if (!($_SESSION["member_id"]) || ($_SESSION["member_id"] == "")) {
    Header("Location: ./login.php");
    exit();
  }
}
function login_check ($forms) {
  $error = "";
  $username = $forms["username"];
  $password = $forms["password"];
  if (trim($username) == "") $error .= "<li>Your username is empty.</li>";
  if (trim($password) == "") $error .= "<li>Your password is empty.</li>";
  /* from here, do your sql query to query the database to search for existing record with correct username and password */
  if (trim($error)!="") return $error;
}

function login ($forms) {
  $username = $forms["username"];
  $password = $forms["password"];
  /* do your sql query again, but now returning the id of member */
  $member_id=$username;
  return $member_id;
}
?>
[/code]

login.php
[code]
<?php
// login.php
session_start();
include ("functions.php");
if ($_POST) {
  $error = login_check($_POST);
  if (trim($error)=="") {
    $_SESSION["member_id"] = login($_POST);
    Header('Location: /index.php');
    print "all's good";
    exit();
  } else {
    print "Error:$error";
  }
}
?>
<form method="post">
Username : <input type="text" name="username"><br />
Password : <input type="password" name="password"><br />
<input type="submit" value="Login">
</form>
[/code]

index.php
[code]
<?php
// index.php
include("functions.php");
session_start();
secure();
echo ('logged in as: '.$_SESSION['member_id']);
?>  
[/code]


Does anyone have any ideas on what I'm doing wrong?

Thanks,
jbreits

[rab]

Add session_start() to functions.php

[jbreits]

Thanks for the tip, but it didn't help.

I am now testing an even simpler session script:

[code]
<?
session_start()
$counter = $_SESSION['counter'];
$counter++;
$_SESSION['counter'] = $counter;
print "You have visited this page $counter times during this session<br>";
?>
[/code]

Same sort of thing happens. I refresh several times and the number counts as it's supposed to. After letting it sit for a couple minutes, I refresh and the counter has gone back to 1. Is the session timing out or something? I'm new to sessions, so I'm not quite sure what is going on, but it does seem to be an inactivity thing. bst.breittechnologies.com/counter.php if you want to test it out.

Anyone have any ideas?

Thanks,
jbreits

[koencalliauw]

take a look at the vars:

session.cookie_lifetime
session.cache_expire

in your php.ini, cookie_lifetime is 0 by default I think (session expires when user closes browser), cache_expire is less important but take a look at it anyway.

[jbreits]

Thanks for the suggestion, but I think I may have figured it out.

It appears that the following 3 values define the amount of time that the session file can remain on the server:

session.gc_probability
session.gc_divisor
session.gc_maxlifetime

I checked the default values that were set in the ini file, and I got:
probability 1
divisor 100
maxlifetime 1440

From the manual, this appears to mean that each time a session loads, there is a 1/100 (1%) chance that garbage collection runs. If GC does run, a session file will be considered garbage and cleaned up if it has not been accessed in 1440 seconds. That all makes sense, but it does not explain why mine were timing out after only a couple minutes.

The I noticed this under the eplanation of gc_maxlifetime:

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
Note: If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.
[/quote]

I my session.save_path was set to the default of /tmp. However, this is a shared server and there could be others running session scripts with lower values of gc_maxlifetime. If that was the case, those scripts might be cleaning up my session files as well. At any rate, I change the save_path to /home/myusername/tmp. And low and behold it worked! I was no longer timing out after a couple minutes.

To double check that this was the issue, I set the probability and divisor to 1 (100% chance that GC runs) and the maxlifetime to 60 (seconds). And, as I expected, my sessions began to timeout after 1 min of inactivity.

So I have figured out the resolution to the problem. I hope this information can help others.

As a follow-up question, now that I have my session working with the standard file-storage method, what are the advantages (if any) of using a database (MySQL) and custom handlers to store the session information?

Thanks,
jbreits