3

We recently migrated from a Windows 2003 server running xamp, to a Centos server running apache with PHP Version 5.3.3.

Originally, the issue was that users were being logged out after about 24 minutes, so I changed the INI variable session.save_path, which resolved the problem. However, some users are still periodically being logged out of our website, seemingly at random. It happens to multiple users using different browsers at different times. Sometimes after having the page sit unused, but sometimes while browsing from one page to another.

Here are our session-related INI settings: 

    session.save_handler = files  
    session.save_path = "/var/sessions"  
    session.use_cookies = 1  
    ;session.cookie_secure =  
    ;session.use_only_cookies = 1  
    session.name = PHPSESSID  
    session.auto_start = 0  
    session.cookie_lifetime = 86400  
    session.cookie_path = /  
    session.cookie_httponly =  
    session.serialize_handler = php  
    session.gc_probability = 1  
    session.gc_divisor = 1000  
    session.gc_maxlifetime = 86400  
    session.bug_compat_42 = Off  
    session.bug_compat_warn = On  
    session.referer_check =  
    session.entropy_length = 0  
    session.entropy_file =  
    ;session.entropy_length = 16  
    session.cache_limiter = nocache

At first I thought it might have been an issue with the cookie in the browser, as one of the users had his cookie set to never expire even though the code sets the cookie to expire after 24 hours. But, after deleting the cookie and having him log back in, it set the cookie properly to 24 hours, and he had the same issue of being logged out prematurely.

I have created a cron job script that deletes all the sessions every morning at 4am since the sessions have been moved out of the tmp directory.

I discovered today that the sessions on the server aren't being deleted, but a new session with a new session ID is being created when the users log back in, even though they still have an existing session on the server.

Any assistance would be greatly appreciated.

Chris Baker
  • 49,926
  • 12
  • 96
  • 115
Lee
  • 55
  • 8
  • In my experience, if the user is using IE, the browser ignores your session expiration settings and does its own thing. Are you sure this isn't the case? – Matt Aug 29 '12 at 18:24
  • A maybe silly question - is your server's date, time, and time zone correct? I am assuming you have checked this, but asking costs nothing. – Grzegorz Aug 29 '12 at 18:24
  • Please look here: http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes – Grzegorz Aug 29 '12 at 18:27
  • Yes, the servers date and time are both correct, and the php date.timezone = "America/Los_angeles". We have users using both IE8 and Firefox 14 that are both experiencing the issue. The gc_maxlifetime variable should not matter since I have the session.save_path set to something different, but I have the value set to last 24 hours, same as the cookie duration. When the cookies are created, they do have a 24 hour expiration time. I looked at the link by Grzegorz but did not see how that can help. – Lee Aug 29 '12 at 18:32
  • @Ivaughan: Sorry if the link did not help. I thought it could have when Gaumbo said that the methods people use are not reliable. The only thing that comes to my mind, and please, note that I have never had this issue you experience, is that the session id changes. Nothing else comes to my mind now. – Grzegorz Aug 29 '12 at 21:31
  • this may be a silly question but are you sure php_session module is installed? – nick Sep 05 '12 at 15:14

1 Answers1

0

It appears that the problem was being caused by my cookies expiring after my server deleted the sessions.

I had a script setup to manually delete the sessions from the server every morning at 4am, however my cookies were set to last 24 hours. So even after the users logged back into the website and created a new session on the server the cookie didn't have its expiry time updated.

I decreased the cookie duration to 12 hours so that the cookies will always expire before the next time the user is required to log in, and the problem has gone away.

Lee
  • 55
  • 8