By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,172 Members | 1,735 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,172 IT Pros & Developers. It's quick & easy.

session timeout suggestions wanted

P: n/a
I have a form where users logged in using sessions can edit articles in
a WYSIWYG editor. Some of them take their time and don't like to save
their work very often and occassionally the sessions expire and their
work goes poof. (I've suggested editing off-line and simply copy+paste
but they prefer the editor.)

After a lot of searching I've found the main culprit is
session.gc_maxlifetime and I can set it longet like...

ini_set('session.gc_maxlifetime', 7200); // 2 hour inactive session
timeout

Are there other timeouts I should worry about with Apache/Linux?
(Caches, etc..?) My other php.ini settings are...

session.cache_expire 180 -> 3 hours shouldn't be a problem
session.cookie_lifetime 0 -> this is don't expire while browser open
right?

Now a few of my Google searches came up with a scenario for timeouts
where the timezone of server and client have to be considered. i.e. If
server is ahead of client by 1 hour, is the session timeout reduced by 1
hour for that client. Can this be true??

Also are there any other problems with a php session lasting 2 hours?
Small site, not a lot of users with these priviledges or accessing the
editor.

Thanks for any advice.
Craig
Sep 22 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
>I have a form where users logged in using sessions can edit articles in
a WYSIWYG editor. Some of them take their time and don't like to save
their work very often and occassionally the sessions expire and their
work goes poof. (I've suggested editing off-line and simply copy+paste
but they prefer the editor.)

After a lot of searching I've found the main culprit is
session.gc_maxlifetime and I can set it longet like...

ini_set('session.gc_maxlifetime', 7200); // 2 hour inactive session
timeout
Two hours isn't a long expiration time. Two DECADES is a long
expiration time. Of course, you need to consider security issues
and what the threat is. Two hours inactive session timeout is way
too long for nuclear launch codes and probably for credit card
numbers. Two decades may be fine for logging into a chat room.
Are there other timeouts I should worry about with Apache/Linux?
Apache doesn't store sessions or session cookies (it does pass them
through on HTTP requests, but it doesn't care how old they are).
PHP stores sessions and browsers store session cookies.
(Caches, etc..?) My other php.ini settings are... session.cache_expire 180 -> 3 hours shouldn't be a problem
session.cookie_lifetime 0 -> this is don't expire while browser open
right? Now a few of my Google searches came up with a scenario for timeouts
where the timezone of server and client have to be considered. i.e. If
server is ahead of client by 1 hour, is the session timeout reduced by 1
hour for that client. Can this be true??
It shouldn't be true but it might be anyway. The expires time in
a Set-Cookie header in the response is supposed to be in *GMT*.
This should be enough to not have timezones be an issue, but it
isn't. You can still have problems if (a) the client's (or server's)
clock is set incorrectly, or (b) the client's (or server's) idea
of what time zone it is in is incorrect. Having both (a) and (b)
as problems with offsetting errors (e.g. user sets the wrong timezone
but the clock shows the correct local time, so he'll swear up and
down that his clock is set correctly) will get GMT off by some
number of hours.
Also are there any other problems with a php session lasting 2 hours?
Small site, not a lot of users with these priviledges or accessing the
editor.


If you accumulate a lot of session files in whatever directory
they are stored in, it might slow down searches for the files.
This is more likely to be a problem with a heavy-traffic site
and a long expire time (e.g. months, years, decades).

Gordon L. Burditt
Sep 22 '05 #2

P: n/a
I had the same problem... what I did was to create a JS timer on the
page.
The timer has a 20 minute countdown, when reaching close to the 20
minute barrier, the timer alerts the user about a auto-save, then
processes the page and returns to it...

My clients at first complained about it, but now they are for ever
greatful... since sometimes they leave the machine for coffee or God
knows what...

Sep 23 '05 #3

P: n/a
Bugz and Gordon,

Thanks for the replies, they were both much appreciated!

Craig
Sep 23 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.