473,729 Members | 2,038 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Sessions - how can I prevent users being logged out when inactive?

Hi there,

Users of my PHP DB application have complained that it seems to log them out
every now and then. I actually assume this is when it has been idle for
sometime as I use session variables to store a logged in token.

With only basic knowledge of sessions I assumed there was some kind of
default time before the session data is destroyed.

Is this the case?

My investigations revealed a
session.cookie_ lifetime
directive but the default value of 0 as in my environment means the cookie
lasts for ever so this could not be my problem.

The other directive was
session.cache_e xpire

which I do not fully understand if this would have an effect or not but it
may do. This has a default of 180 mins so I thought maybe users are being
logged out after 180 mins.

As an experiment I tried setting this to 1 min (>session_cache _expire(1); ),
but doing this and then checking if it was set with phpinfo() found that it
stayed at 180. Therefore I could not change the value.

So can anyone help. If I do have to set the
session.cache_e xpire
do I have to set this on each page where a session_start is used, or can I
just set it after the login page, and then the value I set will remain.

Any help on this matter appreciated.

Kind regards

Dave


Jul 17 '05 #1
12 2522


Dave Smithz wrote:
Hi there,

Users of my PHP DB application have complained that it seems to log them out
every now and then. I actually assume this is when it has been idle for
sometime as I use session variables to store a logged in token.

With only basic knowledge of sessions I assumed there was some kind of
default time before the session data is destroyed.

Is this the case?

My investigations revealed a
session.cookie_ lifetime
directive but the default value of 0 as in my environment means the cookie
lasts for ever so this could not be my problem.

The other directive was
session.cache_e xpire

which I do not fully understand if this would have an effect or not but it
may do. This has a default of 180 mins so I thought maybe users are being
logged out after 180 mins.

As an experiment I tried setting this to 1 min (>session_cache _expire(1); ),
but doing this and then checking if it was set with phpinfo() found that it
stayed at 180. Therefore I could not change the value.

So can anyone help. If I do have to set the
session.cache_e xpire
do I have to set this on each page where a session_start is used, or can I
just set it after the login page, and then the value I set will remain.

Any help on this matter appreciated.

Kind regards

Dave


session.cookie_ lifetime = 0 means the cookie will be deleted as soon as
the browser is closed, which logs the user out.

set it to another value (in sec's, using ini_set()) to keep the user
logged in longer. but note that this is not sure fire because what the
users do with your cookie is up to them.

micha

Jul 17 '05 #2

"chotiwalla h" <ch*********@we b.de> wrote in message
news:11******** *************@o 13g2000cwo.goog legroups.com...
session.cookie_ lifetime = 0 means the cookie will be deleted as soon as
the browser is closed, which logs the user out.

set it to another value (in sec's, using ini_set()) to keep the user
logged in longer. but note that this is not sure fire because what the
users do with your cookie is up to them.


Yes you are right there of course, but in this instance users are being
logged out when they have not closed the browser. In fact they expect that
if they close the browser they will be logged out which is better behaviour.
I need to prevent the time out occurring on a windows which they have kept
open (note this window does use frames if this makes a difference).

Kind regards

Dave
Jul 17 '05 #3


Dave Smithz wrote:
"chotiwalla h" <ch*********@we b.de> wrote in message
news:11******** *************@o 13g2000cwo.goog legroups.com...
session.cookie_ lifetime = 0 means the cookie will be deleted as soon as
the browser is closed, which logs the user out.

set it to another value (in sec's, using ini_set()) to keep the user
logged in longer. but note that this is not sure fire because what the
users do with your cookie is up to them.


Yes you are right there of course, but in this instance users are being
logged out when they have not closed the browser. In fact they expect that
if they close the browser they will be logged out which is better behaviour.
I need to prevent the time out occurring on a windows which they have kept
open (note this window does use frames if this makes a difference).

Kind regards

Dave


frames might make a diference: php starts session for single scripts,
not for browser windows or whole domains. that means a session_start()
call is needed for every script that makes use of the session.

another thought: does your login validate the user's ip? if yes, try
without it, because if your user's connections are idle, their
computers might disconnect, and then connect from a differnet ip again,
which invalidates your login.

micha

Jul 17 '05 #4

"chotiwalla h" <ch*********@we b.de> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. .
frames might make a diference: php starts session for single scripts,
not for browser windows or whole domains. that means a session_start()
call is needed for every script that makes use of the session.

another thought: does your login validate the user's ip? if yes, try
without it, because if your user's connections are idle, their
computers might disconnect, and then connect from a differnet ip again,
which invalidates your login.

micha


Thanks again Micha,
but know the login is quite basic and does not check IP address. Also every
script does have its own session start, so I do not think this particular
problem is related to the frames.

Still a bit funny why I cannot change the session.cache_e xpire value (at
least when I do a phpinfo it does not seem to change although I can change
other values)

Anyone else have any thoughts on what the problem could be here?

Jul 17 '05 #5
("Dave Smithz" <SPAM FREE WORLD>) decided we needed to hear...

"chotiwalla h" <ch*********@we b.de> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. .
frames might make a diference: php starts session for single scripts,
not for browser windows or whole domains. that means a session_start()
call is needed for every script that makes use of the session.

another thought: does your login validate the user's ip? if yes, try
without it, because if your user's connections are idle, their
computers might disconnect, and then connect from a differnet ip again,
which invalidates your login.

micha


Thanks again Micha,
but know the login is quite basic and does not check IP address. Also every
script does have its own session start, so I do not think this particular
problem is related to the frames.

Still a bit funny why I cannot change the session.cache_e xpire value (at
least when I do a phpinfo it does not seem to change although I can change
other values)

Anyone else have any thoughts on what the problem could be here?


session.cache_e xpire has no effect if session.cache_l imiter is set to
nocache which is the default and probably what you want if to be, so
theres probably no need to worry about why cache_expire doesn't change
for you.

For sessions to remain active yes you do have to change the
session.cookie_ lifetime value, and you also should change the
session.gc_maxl ifetime value to be the same. If you don't then even
though the session cookie will remain active for the user, the
session data file on the webserver will get deleted in a much
shorter period, invalidating the session.

Each time you do a session_start() , set the above values using ini_set
and you should be good to go...
--
Dave <da**@REMOVEbun dook.com>
(Remove REMOVE for email address)
Jul 17 '05 #6
"chotiwalla h" <ch*********@we b.de> wrote in message >

session.cache_e xpire has no effect if session.cache_l imiter is set to
nocache which is the default and probably what you want if to be, so
theres probably no need to worry about why cache_expire doesn't change
for you.

For sessions to remain active yes you do have to change the
session.cookie_ lifetime value, and you also should change the
session.gc_maxl ifetime value to be the same. If you don't then even
though the session cookie will remain active for the user, the
session data file on the webserver will get deleted in a much
shorter period, invalidating the session.

Each time you do a session_start() , set the above values using ini_set
and you should be good to go...


OK still a bit confused. I used ini_set to set the session.gc_maxl ifetime
and session.cookie_ lifetime variables and using phpinfo() I found they had
been set to what I wanted.

Therefore as an experiment I set the values to be 1 like so:
ini_set ("session.cooki e_lifetime","1" );
ini_set ("session.gc_ma xlifetime","1") ;

Now I would have expected for the session therefore to only last 1 second,
and as the login information is held in the session variables I expected to
be logged out right away (Therefore when I attempted to view another script
that requires login, it would take me to the login screen).

1) This did not happen? Anyone know of any reasons why?
2 - not as important as 1)With regard to using session.cache_l imiter
(independently from the above question) and I played around with setting
this to private_no_expi re so that when users pressed the back button on the
browser, pages would not be resent to the server. Does not seem to work that
well and I ended up using Form GETS as opposed to POSTS as a workaround.
3) Is it OK to set the session.cookie_ lifetime and session.gc_maxl ifetime in
a header file that is called with require_once?

Thanks in advance for any help.

Kind regards

Dave

Jul 17 '05 #7
On Mon, 11 Jul 2005 10:05:53 -0400, Dave <da**@REMOVEbun dook.com> wrote:
For sessions to remain active yes you do have to change the
session.cookie _lifetime value, and you also should change the
session.gc_max lifetime value to be the same. If you don't then even
though the session cookie will remain active for the user, the
session data file on the webserver will get deleted in a much
shorter period, invalidating the session.

Each time you do a session_start() , set the above values using ini_set
and you should be good to go...


One thing to remember when modifying session duration settings at runtime is
that the PHP sessions garbage collector piggy-backs on requests with a
probability set by a couple of configuration options.

If there are any other pages on the server that don't have the options
ini_set'ed, then the garbage collector may run from other pages, _with the
default settings_, so could purge your sessions from the server-side session
directory if they exceed the default timeout, regardless of what you had in
force at the time the session started.

For the pages where you change the session settings, you probably also want to
specify an alternate session.save_pa th to isolate those session files from the
rest of the server.

--
Andy Hassall / <an**@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool
Jul 17 '05 #8
you can use a .htaccess file to set php config for your whole site

the file must contain something like this

php_flag OPTION_NAME OPTION_VALUE

micha

Jul 17 '05 #9
Andy Hassall (an**@andyh.co. uk) decided we needed to hear...
On Mon, 11 Jul 2005 10:05:53 -0400, Dave <da**@REMOVEbun dook.com> wrote:
For sessions to remain active yes you do have to change the
session.cookie _lifetime value, and you also should change the
session.gc_max lifetime value to be the same. If you don't then even
though the session cookie will remain active for the user, the
session data file on the webserver will get deleted in a much
shorter period, invalidating the session.

Each time you do a session_start() , set the above values using ini_set
and you should be good to go...


One thing to remember when modifying session duration settings at runtime is
that the PHP sessions garbage collector piggy-backs on requests with a
probability set by a couple of configuration options.

If there are any other pages on the server that don't have the options
ini_set'ed, then the garbage collector may run from other pages, _with the
default settings_, so could purge your sessions from the server-side session
directory if they exceed the default timeout, regardless of what you had in
force at the time the session started.

For the pages where you change the session settings, you probably also want to
specify an alternate session.save_pa th to isolate those session files from the
rest of the server.


I do actually code all my own ini_sets in an include file which every
page requires, hence I've never really considered the situation you
mention, but its an excellent point so, thanks for the tip.
--
Dave <da**@REMOVEbun dook.com>
(Remove REMOVE for email address)
Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
2168
by: FLEB | last post by:
I've been trying to find a way to transfer session data (login information and such) between different domains, both on the same shared host. I think (I haven't tested yet, though) that using the same session ID will return the same session data, since they're both running off the same copy of PHP. The data being transmitted isn't extremely sensitive (not enough to be worried things like shared-server tempfile reading), but I want to be...
22
2878
by: Theo | last post by:
Question for the group The authentication system for the site Im working on seems to function properly and all is good. A session keeps track of everything and a cookie is used to accept or deny access... sounds as it should be I hope. Then when all is done logging out destroys everything and the pages are no longer accessable. Good so far. But two things come to mind: one is preventing multiple logins of the user/password. The...
9
2645
by: Bartosz Wegrzyn | last post by:
I need help with sessions. I createt set of web site for nav with authorization. first I go into main.php which looks like this: <?php //common functions include_once '../login/common.php'; global $LOGINDIR;
4
3262
by: vesely | last post by:
Hi all, I'm currently relying on logged-in users hitting "logout" (logoff) before they leave, in order to terminate the session. With PHP the session filename is in a cookie that lasts for the current session. The problem is that the server does not know when the current session expires. (I have quite long timeouts.) Did anybody attempt a script to automatically call "logout" when the session expires? It seems quite complicate, as...
10
2143
by: Mark H | last post by:
Hey all-- I'm building a database and I basically need to keep out people who aren't authorized, but it's not like I need top security here. I'm just doing basic user/pass of a SQL database, and when a user authenticates I start a session for him. My question is, is there any way for a hacker to easily start a session without having logged in? For instance, if I save the user name and IP address in the session will it be relatively...
2
1803
by: Lenn | last post by:
Hello, This requirement might seem strange to someone out there, but here it's We need to make sure only certain number of users can be logged in the site at the same time. Is there any way to do that in ASP.NET, in web config file or otherwise. Thanks in advance for your help.
3
5763
by: Dave Smithz | last post by:
Hi there, I have a website where users can log into. This users sessions as I believe most people use when implementing a login section of a website (each php page first checks a valid parameter has been set to authorise that the user has logged in and if it is not found it redirects the user to the login page). I have my code and it works fine, however on the live server, after a period of inactivity the user will be logged out...
2
11179
by: runner7 | last post by:
Can anyone tell me if there is a way in PHP to determine when a session times out on the server or how many concurrent sessions there are in your application?
5
2089
by: DavidPr | last post by:
I'm using sessions now but I've just realized a potential problem. It's a small job board and the employers have to register and login to post ads, and the job seekers have to register, login and post a resume in order to respond to certain ads. The employers and the job seekers register their information into their own database table. I don't fully understand how sessions work. This that I'm using came from a book by Larry Ullman (chapter...
0
8936
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9436
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
9226
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9166
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6722
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4538
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4799
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3248
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
2173
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.