deactivate the gx_maxlifetime

tamayo

Hi, sometimes the users needs to pause to work for example to help a client o look for some papers, after sometime they restart their work but when they press the send button, they got the message that they are not authorized beause the session is over, and of course their data is lost.

to solve this i change in the php.ini file this line:

gc_maxlifetime=0

doing this, i think the session never will die. so my questions are:
1. the session will never die?
2. i have update the name of a textbox in the form, then i press f5 but the session still was over, why?
3. is there a better way to manage this? i want that the data never lost, even if the session is over.

regards

Weedpacket

Your setting means that session data will be regarded as garbage after 0 seconds.

You want to change gc_probability. But keep in mind the consequences of not having any garbage collection.

If you don't want data to be lost at the end of a session, don't store it with the session data: store it in a database.

tamayo

in fact, the data is stored in a database, i will explain my problematic scenario:

the user needs to add the information of a new seller partner: name, age, sex, address, etc.
the user clicks in the option "new partner" and the form is open
the user start typing name and age "but" suddenly the boss call him, the chat takes 30 minutes, then the user goes to the bathroom, then goes to the candy machine, then calls to mom... and 90 minutes after he comeback to the desk...
continues typing sex and address then the user clicks on "continue button", what happens?

in the server side the newpartner.php calls to addpartner.php, this file at the beginning has this lines:

<?php
session_start();
if (@$_SESSION['autorizado'] !="yes")  

{
	header("Location: nologin.php");
	exit();
	}
else{
include("okus.php");
.....

so, the result the user got is: nologin.php and the data is lost!, because addpartner.php store the data in the database

so, why I think this happens:

the session is timeout
my gc_maxlifetime is too short (i think the default is 1440 seconds)

what I think I should do:
1. increase the value of gx_maxlifetime

why?
because if the user take the decision of start typing the data, make pause, and restart the typing 1 hour later, no matters what time, when it calls to addpartner.php the session is still active.

now, i know is a bad way to do this, but would you recommend me some better way?

regards

Weedpacket

tamayo wrote:
1. increase the value of gx_maxlifetime

Changing it from 1440 to 0 is not increasing it 🙂. I know some of the ini settings work like that, but I don't think gc_maxlifetime is one of them. I agree about increasing it, but trying to make it infinite might not be the best choice: would it be enough to allow a session to lie idle for a hundred thousand seconds or so before declaring it abandoned?

Session garbage collection usually isn't performed every time a PHP script is run (that would be bad for performance); instead it runs with only a certain probability, controlled by the [man]session.gc_probability[/man] and [man]session.gc_divisor[/man] settings I mentioned. So there's actually a bit of a grace period for a session between the time it reaches its maximum age and the next time the garbage collector runs. Decreasing the frequency of garbage collection would increase the grace period (and decreasing the frequency to zero would increase the grace period to infinity).

Second viewpoint:
This sounds like an intranet situation; you're not talking about millions of hits an hour. You can have the client do a bit to hold up its end of the session by periodically telling the server that it is still present. There would be a bit of JavaScript on the page that every twenty minutes or so sends a request to a PHP script that doesn't actually do anything (and the client doesn't do anything with the response), but the fact that the server received the request is enough to reset the session's age and give it another gc_maxlifetime seconds to live.

johanafm

Edit: modify the stuff below to rather than directly use old contents of post/get just use the old stuff to repopulate the form. If someone other than the user tried to post data without the user knowing, he should only post it after confirming the previous post.

One way to handle it would be to
1. Ordinary check to see if user is logged in, and if they are not (session expired)
2. session_start()
3. store url of requested page along with post and get, for example as $SESSION['old']['url'], $SESSION['old']['get'], $SESSION['old']['post']
4. redirect user to login page
5. after login, check for presence of $SESSION['old']['url']. If it exists, unset it and redirect to the value it held before
6. In every script where you want to be able to restore such user data, check for presence of $SESSION['old']['get'] and $SESSION['old']['post'] and use their contents to populate $POST and $GET at the very top of the script.
7. Unset $_SESSION['old']
8. Let the script complete as it would on a normal request.