why is my session expiring unexpectedly after ~30 mins?

bitt3n

I am experiencing a strange problem when I try to get a session to persist for 100 days. I set the session to last for 100 days using the code below, but the session appears to last ~30 minutes only. One of the comments in PHP.net suggests updating a couple of ini settings (see first two lines of below code), but that still does not prevent the session from expiring prematurely. I also tried manually setting the expiration for PHPSESSID in addition to calling session_set_cookie_params(), but the session still expires early. I would be most grateful for any suggestions. Here is the code I am using:

Code:

ini_set("session.cache_expire","100*24*60*60"); // default is 180, which is 3 hours...

ini_set("session.gc_maxlifetime","100*24*60*60"); // default is 1440, which is only 24 minutes

$timeout100days = time()+100*24*60*60;
$timeoutToday = mktime('23','59','59', date('m'), date('d'), date('Y'));
$expire = time()-1800;

if (!empty($_COOKIE['login_temp']) && !empty($_COOKIE['PHPSESSID'])) {
     if ('not_public_terminal' == ($_COOKIE['login_temp'])) {
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeout100days, '/', 'kinostat.com');
          session_set_cookie_params($timeout100days, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'not_public_terminal\', cookie params set to 100 days.</p>');
     } else { // if login_temp is not FALSE
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is \'public_terminal\', cookie params set to 0 days.</p>');
     }
} else { // if login_temp not set
     if (!empty($_COOKIE['PHPSESSID']))
          setcookie('PHPSESSID',$_COOKIE['PHPSESSID'],$timeoutToday, '/', 'kinostat.com');
          session_set_cookie_params($expire, '/', 'kinostat.com');
          //echo('<p>login_temp cookie is NOT SET, cookie params set to 0 days.</p>');
}

MarkR

bitt3n wrote:

ini_set("session.cache_expire","100*24*60*60"); // default is 180, which is 3 hours...

This is a guess, but it seems likely that you need to remove the " from around 1002460*60, which is an expression which needs to be evaluated not treated as a string.

Enable all errors - error_reporting(E_ALL), this may shed more light on the problem.

Mark

Installer

In addition:

I don't know if this will solve the problem, but it will probably help:

session.cache_expire - Takes minutes, not seconds.

session_set_cookie_params() - First argument should be seconds, not timestamp.
- Must be called before session_start().

NogDog

Also note that changing the session.gc_maxlifetime value will not necessarily save your session data if any other PHP script runs on the host which uses the default value and which utilizes the same session.save_path as your scripts. If there is any possibility of this condition, then you should also create a separate session directory (readable/writeable by your webserver user under whom you scripts are run) and add a session.save_path setting to it along with your other session settings.

bitt3n

ok, I've made some progress. Apparently (as per NogDog) someone else's script on the shared server or a server cleanup routine is killing my sessions stored in the /tmp directory. I changed the sess id save path to

session_save_path("./tmp");

to store it in the root directory of my folder on the shared server (so the sessions are no longer saved in "/tmp", which is above this directory), and now the sessions appear to be persisting properly.

I still have the following problem though: php is running as the user:group "dhtml:dhtml" whereas the user:group for my folder on the shared server and all folders within my folder is "username:username", and thus "dhtml" does not have permission to access the "./tmp" directory unless I CHMOD 777 the directory.

My hosting provider doesn't provide SSH access on the shared server. I assume SSH access is necessary to grant "dhtml" access to the ./tmp directory, and that I should therefore contact my hosting provider and ask them to set the permission for me. Is my understanding correct, or is there some way for me to do it myself without SSH? (I can CHMOD the directory via FTP, but my FTP program doesn't seem to allow me to change the group/user assigned to a given folder.)

UPDATE: Since I have no SSH access I asked my hosting provider to change the folder permissions, and they responded with "just CHMOD 777 the directory".

Am I correct in believing that giving open permissions to a directory containing session data is dumb?

NogDog

It's certainly not ideal, but typically is the case the way most shared hosts are configured. Thus, when using PHP on a typical shared host, it's not a good idea to store any truly sensitive data within session variables (unless you write your own session handler, perhaps using a database to save the data).

MarkR

You can probably chmod the directory via FTP - see your FTP client's documentation for more details.

I wonder whether it might not be more sensible to do something like:

 $docroot = $_SERVER['DOCUMENT_ROOT'];
 $tmpdir = "$docroot/tmp";
 session_save_path($tmpdir);

To set the sessions directory relative to the document root instead of assuming that the current working directory or whatever "." means in PHP, is going to be right.

If the temp directory is within the web root, it's a good idea to prevent web access- if you're on Apache, you can do this by putting

Deny From All

In .htaccess

Mark

bitt3n

yep I can chmod it no problem with ftp.

the only thing I am worried about is that other people on my shared server will have access to my sessions directory if I give open permissions to the folder, even if I protect it from web access.

is there any way to avoid that, or is it just an inevitable risk of using a shared server?

NogDog

You could look for a shared server that runs the suPHP module. If that's not practical, you might want to look at this article which recommends using a database for storing session data (and provides a sample script for doing so).