PHP Session *not your usual* problem

[ysamu]

Hello,

I have a funny problem with my session management, actually I never came accross this before.

I have a website, an admin panel which is protected by a session object. I have, I think "standard" PHP session settings and my problem is that my system never logs me out after 20 minutes of inactivity.

My code for admin access is:

----------------------

if(isset($_SESSION['user']))

//he is loggedin, carry on

else

//send to login page, set the session on sucessfull authentification

----------------------

 

My php session settings are:

session.save_handler = files

session.use_cookies = 1

session.use_only_cookies = 1

session.name = ds

session.auto_start = 0

session.cookie_lifetime = 0

session.cookie_path = /

session.cookie_domain =

session.serialize_handler = php

session.gc_probability = 1

session.gc_divisor = 100

session.gc_maxlifetime = 1200

session.bug_compat_42 = 0

session.bug_compat_warn = 1

session.referer_check =

session.entropy_length = 0

session.entropy_file =

session.cache_limiter = nocache

session.cache_expire = 180

 

According to those, I assume the garbage collector will have a 1% chance deleting any session after 1200 seconds.

There is enough activity on the server to trigger the GC often, but I stay logged-in for weeks!

 

Would you know what am I doing wrong?

 

Thank you for your help!

[Cep]

Your not loading off a cookie somewhere else in your script are you?

[discomatt]

Also, your cookie will never expire... though that shouldn't matter if the session itself expires, as the cookie simply holds the session id

 

session.cookie_lifetime = 0

 

Also, if there is any recursive callback function (ajax, ect), they might be holding your session active... assuming you don't close the browser window.

 

And yes, check for cookie possibilities

[ysamu]

Thank you for your answers,

 

The session.cookie_lifetime = 0 makes the cookie a session cookie, staying as long as the browser is opened, but as you said, the GC should kill the session in any case.

 

I have no callback, no Ajax, no fancy thing, just disconnected HTML, no other cookie is set....

 

I can still handle the session timeout with some PHP logic, but it would be lovely to have the core feature working fine^^

[discomatt]

Is the problem isolated to your box or spread among many clients?

 

I've looked around and can't find many people having the same issue.

http://bugs.php.net/bug.php?id=14654&edit=1 - Using LEGACY software, but might be an issue.

 

And yes, you are correct. Setting the time to 0 ends the cookie with the browser session. Sorry for the wrong advice.

[ysamu]

mmmmm.... Outlook or my Avast anti-virus *may* keep the session opened after all. I will simply close all programs apart from ie and check on monday if I am still logged in!

Thank you for your insight, I kinda feel this is the cause of my troubles....

[discomatt]

If not, try another computer or have a friend test it out. If it's local, it could even be malware or spyware.

[PFMaBiSmAd]

The purpose of the session garbage collection is NOT to end sessions and log you out.  Don't expect it to do anything more than clean up old session data files. Because GC uses a random number, there is only a probability that session data files older then the gc max lifetime will be deleted every session.gc_probability/session.gc_divisor session_start() statements.

 

Just because the posted settings are in a php.ini file, does not mean that they are what are getting used. Make sure that php is using the php.ini that you think it is and use a phpinfo() statement to see what the actual runtime values are. Also make sure php is using a session cookie instead of a SID appended to the url. If you are returning to your site through a url that contains the SID as part of the url, then the session would be resumed as long as the session data file still exists.

 

If you are closing your browser, with the posted settings, the session cookie should be deleted. If you are not getting logged out by the session ending in this way, than your logic in your code is probably incorrect, such as an if() statement using one = sign that is not actually testing a value but assigning it. You would need to post your code to get specific help with what it is doing.

 

The proper way of logging someone out after an amount of time is to store the time of their last visit and then on each visit check if that was long enough ago that they should be logged out.