By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,175 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

Sessions Expire Unexpectedly

P: n/a
HI everyone.

I have another little problem that I could use some advice on. I have
a session class that handles creating a simple session to keep my
users logged in. It works fine. However, the session will expire in a
random amount of time. I've checked php's configuration and they are
set to expire when the browser is closed (and is what I want). It also
uses cookie sessions rather than the session if in the url. I have
access to both php4 and 5 if needed (all of the code is php4 though).

Here is some of the session code.
/**
* newSession( $userId, $password )
* Creates a blank session.
*/
function newSession( $userId, $password )
{
/**
* Set the user info in the session.
*/
$config = new configuration( $this->database );
$config->getConfig();
$configArray = $config->configArray;

$_SESSION['honey'] = $userId;
$_SESSION['bun'] = sha1( $configArray['salt'] . $userId .
md5( $password ) );
$_SESSION['glaze'] = time();
}

/**
* checkSession()
* Checks the current session.
*/
function checkSession()
{
$config = new configuration( $this->database );
$config->getConfig();
$configArray = $config->configArray;

$userId = mysql_real_escape_string( $_SESSION['honey'] );
$this->current_user_id = $userId;

$sql = "SELECT * FROM `users` WHERE `id` = '$userId'";
$query = $this->database->query( $sql );
$num = $this->database->count_rows( $query );

/**
* Check if user exists
*/
if( $num != 1 )
{
$this->error = "Session expired.";
return false;
}

/**
* Check hashes
*/
$sql = "SELECT * FROM `users` WHERE `id` = '$userId'";
$query = $this->database->query( $sql );
$row = $this->database->get_row( $query );
$tempHash = sha1( $configArray['salt'] . $userId .
md5( $row['pass'] ) );

if( $_SESSION['bun'] != $tempHash )
{
$this->error = "Hashes do not match.";
return false;
}

/**
* Check if session is expired.
*/

$tempTime = time() - 82400;

if( $_SESSION['glaze'] < $tempTime )
{
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie( session_name(), '', time()-42000, '/' );
}

session_destroy();

$this->error = "Session timed out";
return false;
}

$this->getUsernameFromId( $userId );
$this->updateSession();

return true;

}

I always get the session expired error I return. Any idea?
Improvements?

Apr 30 '07 #1
Share this Question
Share on Google+
6 Replies


P: n/a
dawnerd schrieb:
I have another little problem that I could use some advice on. I have
a session class that handles creating a simple session to keep my
users logged in. It works fine. However, the session will expire in a
random amount of time.
I did not look at the code but I can tell you about one way the expire
might happen seemingly "randomly": Do you have any other PHP apps
installed on the server where you are testing your code? They might in
fact be deleting your sessions! Why? Because the sessions for all PHP
apps are by defualt stored as files in the same place: The system temp
dir. This collides with the ability to set the session expiration time
per application. If you have another app on your server where this time
is significantly shorter then at any given time a request on this app
might cause the session data for ALL apps to be cleaned up!

Fix: Use a unique storage location for your app and check if the error
persists.

OLLi
--
Bug? That's not a bug, that's a feature.
[T. John Wendel]
Apr 30 '07 #2

P: n/a
On Apr 30, 4:22 pm, Oliver Grätz <oliver.gra...@gmx.dewrote:
dawnerd schrieb:
I have another little problem that I could use some advice on. I have
a session class that handles creating a simple session to keep my
users logged in. It works fine. However, the session will expire in a
random amount of time.

I did not look at the code but I can tell you about one way the expire
might happen seemingly "randomly": Do you have any other PHP apps
installed on the server where you are testing your code? They might in
fact be deleting your sessions! Why? Because the sessions for all PHP
apps are by defualt stored as files in the same place: The system temp
dir. This collides with the ability to set the session expiration time
per application. If you have another app on your server where this time
is significantly shorter then at any given time a request on this app
might cause the session data for ALL apps to be cleaned up!

Fix: Use a unique storage location for your app and check if the error
persists.

OLLi

--
Bug? That's not a bug, that's a feature.
[T. John Wendel]
That might be the reason; however, all my applications use the same
classes.

Apr 30 '07 #3

P: n/a
PHP's built in session stuff is confusing you behind the scenes.
php.ini holds the simple answer to changing session timeout (it can
time out if the browser is not making any connections, even if browser
is not closed). php.ini is also the place to mess with cookie vs url
SESSID traveling. You may find it interesting to make your session
class also handle session saving and manipulating, with
session_set_save_handler and a few more methods.

http://php.net/session_set_save_handler

Apr 30 '07 #4

P: n/a
Or maybe my suggestion has nothing to do with the problem. I was
writing my message while the second two replies came in, so I didn't
see them coming. dawnerd, what Oliver G. pointed out does not mean
that your own applications might delete it, but if you are on shared
hosting than something you don't know about might be abducting your
stuff.

-Mike PII

Apr 30 '07 #5

P: n/a
On Apr 30, 4:36 pm, Mike P2 <sumguyovrt...@gmail.comwrote:
Or maybe my suggestion has nothing to do with the problem. I was
writing my message while the second two replies came in, so I didn't
see them coming. dawnerd, what Oliver G. pointed out does not mean
that your own applications might delete it, but if you are on shared
hosting than something you don't know about might be abducting your
stuff.

-Mike PII
I am using media temple's grid, so other people's applications would
not affect mine. I will look some more into the ini file to make sure
something isn't set wrong. What bugs me though is that a session will
end, but another be kept alive.

May 1 '07 #6

P: n/a
On Apr 30, 4:08 pm, dawnerd <dawn...@gmail.comwrote:
HI everyone.

I have another little problem that I could use some advice on. I have
a session class that handles creating a simple session to keep my
users logged in. It works fine. However, the session will expire in a
random amount of time. I've checked php's configuration and they are
set to expire when the browser is closed (and is what I want). It also
uses cookie sessions rather than the session if in the url. I have
access to both php4 and 5 if needed (all of the code is php4 though).

Here is some of the session code.
/**
* newSession( $userId, $password )
* Creates a blank session.
*/
function newSession( $userId, $password )
{
/**
* Set the user info in the session.
*/
$config = new configuration( $this->database );
$config->getConfig();
$configArray = $config->configArray;

$_SESSION['honey'] = $userId;
$_SESSION['bun'] = sha1( $configArray['salt'] . $userId .
md5( $password ) );
$_SESSION['glaze'] = time();
}

/**
* checkSession()
* Checks the current session.
*/
function checkSession()
{
$config = new configuration( $this->database );
$config->getConfig();
$configArray = $config->configArray;

$userId = mysql_real_escape_string( $_SESSION['honey'] );
$this->current_user_id = $userId;

$sql = "SELECT * FROM `users` WHERE `id` = '$userId'";
$query = $this->database->query( $sql );
$num = $this->database->count_rows( $query );

/**
* Check if user exists
*/
if( $num != 1 )
{
$this->error = "Session expired.";
return false;
}

/**
* Check hashes
*/
$sql = "SELECT * FROM `users` WHERE `id` = '$userId'";
$query = $this->database->query( $sql );
$row = $this->database->get_row( $query );
$tempHash = sha1( $configArray['salt'] . $userId .
md5( $row['pass'] ) );

if( $_SESSION['bun'] != $tempHash )
{
$this->error = "Hashes do not match.";
return false;
}

/**
* Check if session is expired.
*/

$tempTime = time() - 82400;

if( $_SESSION['glaze'] < $tempTime )
{
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie( session_name(), '', time()-42000, '/' );
}

session_destroy();

$this->error = "Session timed out";
return false;
}

$this->getUsernameFromId( $userId );
$this->updateSession();

return true;

}

I always get the session expired error I return. Any idea?
Improvements?
I believe I have fixed it. I set the session save path. The default
was not set, which stored the session in a temp file (I think). I can
also guess that this temp folder was purging files. Again, just a
guess. I would really like to know how php handles sessions when the
directory is not defined.

May 1 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.