Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Currently i'm setting the sessions maxlifetime to 3600 minutes (an hour) using ini_set("session.gc_maxlifetime", "3600"). Am i right in thinking that if a session hasn't been updated within that hour, then it is seen to be 'garbage' and will be scrubbed/deleted?
So in the situation of storing a 'loggedon' boolean session variable when a user has logged on to a web app that isn't updated whilst the user is using the web app (although other session variables are), it would get destroyed after the maxlifetime limit?
cheers for any help
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
Not quite right iirc. The session itself will stay alive an hour after the last activity, not from when a particular variable was set.
Say a user logged on at 3pm and last clicked in your app at 3.15, the session would expire at 4.15pm, nit 4pm. That would then dump all the variables you've set.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
So that's any activity across all of the $_SESSION variables?
What i read (php site and others) made it sound like if a variable wasn't updated then it would get scrubbed regardless of other session variables changing.
Cheers though
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
My understanding was that if the session in relation to a user was updated, the whole session was updated if that makes sense.
There isn't (as far as I know) a time logged against each variable so it would just get recycled along with everything else.
Might well be wrong, but pretty sure I'm not
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Well the client isn't bitching about it so i'm praying that it's fixed, time will tell i suppose
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Still having issues with users getting randomly booted after 15mins or so, even though the session.gc_maxlifetime is set to 3400secs/1hr. Having a nose round the php.in i found -
-----
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
-----
So i can only assume that a session gets scrubbed after the set time limit and that i should be setting the limit to something huge like 9hrs to keep a user logged in for the day
Also am i right i should be setting this before the session_start()?
|
Reedy
Member
Registered: 11th Apr 04
Location: Hammersmith
User status: Offline
|
surely if you modify the main php.ini file then it will automattically set it.
Otherwise if your doing it with one of those .htaccess files then the issue might be when the user is going to another folder I think it looses those settings. So if a page directs away from the index to an upper level, e.g. corsasport.co.uk -> corsasport.co.uk/board/
I might be wrong though, i tend to just change the main php.ini file.
[Edited on 20-05-2010 by Reedy]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
i'm using ini_set() to set it before session_start() on every page (should i be setting it on every page, or only once say on the login page?). Ideally i should have a custom php.ini but at the moment i don't have access to do that. I have just found that the host requires you to set the session.save_path to /tmp/php_sessions if using custom php.ini's, so i've set that as well before the session.maxlifetime.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Doesn't the session remain active for as long as the cookie is alive? The cookie expires when the browser session is closed, so if you use a session based login system as soon as the user navigates away from the page, they get booted off?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by ed
Doesn't the session remain active for as long as the cookie is alive? The cookie expires when the browser session is closed, so if you use a session based login system as soon as the user navigates away from the page, they get booted off?
Sessions are carried over between pages, but as you say the session ID is stored in a cookie (iirc) and i have read that you should set the 'session.cookie_lifetime' to 0 (0 meaning, clear cookie on browser close). I did do that but the whole thing went tits up
Problem is the client is getting fucked off with his staff entering loads of info, pressing submit and the app kicking them out.....
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Ohhhh, I've not come across that before....
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Another question, should i be calling session_name() before session_start() to resume a session? Or will it automatically resume the session on session_start() using the session id?
[Edited on 20-05-2010 by Dom]
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
session_start() will resume the session. You only use session_name() if you you want to call the session something or get the name of the current session.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Not sure if the first comment bares any relevance to your work?
http://php.net/manual/en/function.session-name.php
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Cheers, am already reading it. It looks like you only use session_name() if you're giving a name to your session in which you obviously need to resume the session with that name (as sessions default to IDs). Otherwise it'll automatically resume a session based on IDs. I could be completely wrong though
I find the whole documentation of php sessions to be pretty shit, especially on dealing with sessions expiring. Doesn't help googling as there is far too much conflicting information about regarding sessions - ie: some people think maxlifetime is based on inactivity or last modified time of the session, where as others (inc the note in the php ini) say the maxlifetime is the time since the session was created.
|
Reedy
Member
Registered: 11th Apr 04
Location: Hammersmith
User status: Offline
|
The only thing you need to run is session_start() and possibly session_destroy()
session start can be ran on every page (but depends on the architecture), i develop using MVC so i only use a session start in the index file.
Session destroy is used when a user logs out.
I hope that clears things up
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
I use cookies for user verification as there seems to be a bit more control over what you can do with them. I'm not too sure what the security aspects of doing it this way are...
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Reedy - Yup, already doing it like that.
Ed - I have looked at using cookies, it might be a route if this continues, although you can easily retrieve the information out of a cookie that's the only issue.
Problem is, the application is 'booting' them out but i'm having no issues what so ever on my dev box, my laptop or my pc and this is across a number of browsers. Which makes me wonder if it's an issue at their end, but i have no idea what (there is only 3/4 of them, there internet connection is ran through a windows server but no caching is apparently on that server). I'm seriously running out of ideas.......
All pages include a 'general_include.php', and the start of the 'general_include.php' is -
quote:
ini_set("session.save_path", "/tmp/php_sessions"); //Session Save Path (as stated on the Host Forums)
ini_set("session.gc_maxlifetime", "7200"); //Session Max Life - 2hr
ob_start(); //Use Buffering - ob_flush() is getting called at the end of the page load!
session_start(); //start sessions
dbConnect(); //DB Connection Function
$GLOBALS['directory'] = "/livesite"; // Set Global directory *Temp
After that there are a few login checks (time limits, ip restriction etc) and then a load of functions that are used throughout the application.
Regarding the login page, once they hit the submit button, it checks to see if the user/password is ok, if not display error otherwise open a new window fullscreen (not status bar, address bar etc) for the main app and close the current (login) window.
Could there be an issue with sessions getting carried between new windows? Thing is, if you login and create a new tab you can still access the application from that new tab without logging in, so i've assumed that sessions do get carried across
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
I'm with ed on this one - I'd probably just use cookies instead unless there is a reason why you want to store lots of data in a session server-side.
Can you rewrite the user authentication side to check for a cookie if the session isn't valid?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Only reason i used sessions was due to the security side of things, as obviously you can read data from cookies pretty easily - only data i am storing is whether they are logged in (boolean), their user ID (reference to database table), username, their full name and their access status (admin/user etc).
I suppose i could use cookies, would require a fair amount of re-writing of code.....last resort ideally but its looking like the only solution.
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
See what you mean.
In an ideal world you'd just store a userID as a cookie and let the server collect the rest of the information as/when it needs it. Can see how it could be a right pain if its a fair sized app though
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
maybe if i just change the logged-in boolean session to store it in a cookie, as that's the one the app is checking.....
Andy - yeah it's a pretty big app, would take a good day and a bit to rewrite it for cookies Perhaps i should have made the whole authetication side of things modular/class/function based or something, would have save a load of work.
|
AndyKent
Member
Registered: 3rd Sep 05
User status: Offline
|
Seems a bit pointless having a bool for logged in to me. If the cookie has been set then the user is obviously logged in (so bool = true).
If the user disappears the bool never gets updated to false so pretty pointless checking it tbh (so bool still = true even though it should be false technically).
I don't get some peoples coding really. I assume this isn't something you've custom made?
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
If the connection is running through a server they may be using ISA, it's crap and could cause issues, there aren't many other things that would run on a server for 3 or 4 people.
Maybe they just mean they have a server.
[Edited on 20-05-2010 by John]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by John
If the connection is running through a server they may be using ISA, it's crap and could cause issues, there aren't many other things that would run on a server for 3 or 4 people.
Maybe they just mean they have a server.
[Edited on 20-05-2010 by John]
Exchange is about the only thing on it and network storage, it's some silly dell server. I would have thought it'd cause issues with sessions though
|