Hi

I have a site on shared hosting in which the SESSIONS timeout too quickly and the user's shopping cart is dumped

is there a way that i can reliably find out the length of the SESSION life span ? is there a way of extending it without having access to php.ini etc ?

thanks

    To get the lifetime

    echo ini_get('session.gc_maxlifetime');

    To set it

    ini_set('session.gc_maxlifetime', 86400); // 1 day

      Typically sessions will last as long as the browser window is open. So if they close their browser (or possibly leave your site) then the session is closed.

      To get information about the session settings in php.ini you can use [man]ini_get/man to get the session settings. Typically though sessions will use cookies to store the session ID client-side (this keeps it out of the URL). You will also want to look at session.cookie_lifetime. If it's set to "0" then it will close when the browser is closed.

      Hope that helps. For more documentation on all the php.ini settings for sessions, you can look here. You can set some session values using [man]ini_set[/man] or [man]session_set_cookie_params[/man].

      The quoted functions above only talk about session data on the server. This is typically set to 1440 which is 24 minutes. That Kudose didn't tell you was that even if you set the garbage collection to 1 week (which is a bit much) the garbage collector will run at the minimum amount of time that any script uses the session temporary dir. In order for you to set that lifetime, and have it be adhered to, you might want to use the [man]session_save_path[/man] function to set that to somewhere else that isn't where everyone else stores their session data. Just don't put this in a web-accessible folder. So perhaps in /home/users/<username>/session_tmp or something like that.

      Another option is if you're using a users table, it may be a good idea to maybe serialize and base64_encode the data (then later base64_decode and unserialize the data) and store it in the database. Then when they log back in, they've got their session stuff right there, in the database. Less chance the garbage collector will destroy your stuff. You could store only the cart info, or anything from the session you want. Just make sure you don't store passwords or CC info.

        aha ! good info, thanks 🙂

        why is it a good idea to use base64_encode for the session stuff stored in the db ?

          bpat1434 wrote:

          even if you set the garbage collection to 1 week (which is a bit much) the garbage collector will run at the minimum amount of time that any script uses the session temporary dir.

          Good to know. 🙂

            It's not really a security measure, but it's just something to help "encrypt" what's in there. It's easily reversible (as is anything that has a "decode" function); however, it's just something to keep the data "hidden". You can use any encryption function you want, as long as you can decrypt it (otherwise it's useless to encrypt it).

            You don't have to, I was just pointing out that if you're going to save to the database some session information, unless it's nothing sensitive (i.e. just a listing of products & quantities) then you should encrypt it somehow (preferably using the [man]mcrypt[/man] library).

              Write a Reply...