3

I'm transferring my application to another server, but I have some issues with the PHP sessions that don't seem to expire.

In php.ini I've set:

session.gc_probability = 1
session.gc_divisor = 1
session.gc_maxlifetime = 300

Cookies are enabled, of course. And still, after 5 minutes, if I refresh the page I'm still logged in. Even if I close the browser and reopen the page. Edit: actually, it seems that closing the browser does clear the session.

Since every request passes through a certain script first (RewriteRule / begin.php), I'm quite lucky and I could get over the problem with this:

session_start();
if (time() > @$_SESSION['sessionLimit']) {
    session_destroy();
    session_start();
}
$_SESSION['sessionLimit'] = time() + ini_get('session.gc_maxlifetime');

But still, I don't get what I'm doing wrong and why in the old server everything was fine (even if session.gc_divisor was set to 10).

Old server: Windows Server 2003, Apache 2.4, PHP 5.4.5, all 32 bit

New server: Windows Server 2008 R2, Apache 2.4, PHP 5.5.4, all 64 bit

MaxArt
  • 22,200
  • 10
  • 82
  • 81
  • `auto_prepend_file` is a better way to have a "startup" script than .htaccess rewrites. – Niet the Dark Absol Oct 17 '13 at 08:19
  • @NiettheDarkAbsol Nice. But I'm not using .htaccess, that's in the Apache's conf file. And anyway, begin.php is used for *every* request, including images and so on. – MaxArt Oct 17 '13 at 08:21
  • What’s your session.save_path set to, and what kind of OS is this running on? – CBroe Oct 17 '13 at 08:25
  • @CBroe It has no value, but that's the same for the old server. The OS is Windows Server 2008 R2, as stated in the question. – MaxArt Oct 17 '13 at 08:28
  • Ar you the _only one_ using that server/domain? What if you visit it in another browser after 5 minutes + a bit, and then refresh the page where you're logged in? (And watch out for ajax polling et al., those will update your sessions timestamp). Examine your access logs for this. – Wrikken Oct 17 '13 at 08:35
  • 1
    @Wrikken I'm the only one that uses that server. No AJAX is involved in the page I open. Your test doesn't change the result. – MaxArt Oct 17 '13 at 08:46

2 Answers2

2

Please see this answer: How do I expire a PHP session after 30 minutes?

Gumbo explains the matter better than I ever could.

In particular, Gumbo explains why session.gc_maxlifetime is not reliable and he recommends implementing session timeout yourself, using a simple time stamp that denotes the time of the last activity (i.e. request), and updating that timestamp with every request:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Pavel
  • 182
  • 1
  • 9
cssyphus
  • 37,875
  • 18
  • 96
  • 111
  • Ah, that was informative, I ended up in that answer a while ago. In the end that's exactly what I did, as stated in the question. Since it still has no marked answer, I might as well mark yours for pointing to the correct explanation. – MaxArt Apr 07 '14 at 07:07
0

It seems that configuration is fine. Check permissions on the directory where your sessions files are stored. Maybe some permission restrictions do not allow PHP to delete them - in such case sessions will not get garbage collected. Also check the modification dates, if the files are really older than the maxlifetime.

Rafi
  • 369
  • 2
  • 5
  • That would be `c:\windows\temp`. You mean that PHP may be able to create a session file, but not to erase it? Wouldn't `session_destroy` also fail? – MaxArt Oct 17 '13 at 08:35
  • Hmm, if it is temp, then it is rather not the case with permissions. I am not sure about session_destroy, as it actually destroys session data (documentation says: "Destroys all data registered to a session"). It does not destroy session identifier, so it is possible that session file is not removed, but only cleared of session data. And what about file dates? – Rafi Oct 17 '13 at 08:55