0

I've a website where we've a lot of subdomains + our main website on the same domain (the website is coded in Codeigniter).

For example:

sub.domain.com
sub1.domain.com
sub2.domain.com
domain.com

Our main domain is used as the system for our clients and the subdomains is where our clients customers can make a booking.

We've a HUGE problem with auto logout after between 5 minutes to 1 hour.

Our current settings is the following:

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'sessionfield';   
$config['sess_expiration'] = 2592000;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_domain']    = '.domain.com'; //real domain removed for security
$config['cookie_path']      = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']  = FALSE;

if($subdomain){
    $config['encryption_key'] = '[key 1 goes here]'; // real key removed for security
}else{
    $config['encryption_key'] = '[key 2 goes here]'; // real key removed for security
}

I've tried to search for almost every solution that has been writing about our there (change cookie_domain, change encryption key for sub domains vs main domain etc), but none of the solutions has worked.

So my question is, has anyone any kind of experience with this auto logout issue?

Looking forward to hear from you.

Simon Thomsen
  • 1,351
  • 7
  • 27
  • 37
  • This might help : https://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php – Sugumar Venkatesan Jul 30 '18 at 10:35
  • What about session timeout? – marcramser Jul 30 '18 at 10:35
  • it's completely normal for sessions to time out. As the link in the first comment alludes to, you have control over how long it is before that occurs. – ADyson Jul 30 '18 at 10:44
  • vSugumar: but then I need to change core settings that can increase the possibility of hijacking because the session ID's isn't changed in the background, right? marcramser: sess_expiration is set to 2592000 seconds at the moment, but doesn't seems to have any effect – Simon Thomsen Jul 30 '18 at 10:45
  • @ADyson but normally I can set sess_expiration to control this, but it doesn't seems to react on that. That's the weird part. So maybe it has something to do with subdomains, facebook login etc – Simon Thomsen Jul 30 '18 at 10:46
  • You perhaps need to provide us with more detail about your environment, current settings, what things you've attempted already. The things you've just mentioned in your comment are not in the question, for example. Please edit the question to give us a better understanding of the scenario. Right now we can really only make vague guesses, unfortunately. – ADyson Jul 30 '18 at 10:48
  • @ADyson i've just updated the code with config code :-) – Simon Thomsen Jul 30 '18 at 10:53
  • you mentioned something about 3rd party logins like facebook...you might want to explain if that actually plays some part in the situation? Are you experiencing this issue with these kind of federated logins only, or with all types, what types of login do you support? Is it just that the user is logged out of the 3rd party service, or just your app, and/or is their whole session destroyed or just the login data? Plenty more detail is still required. – ADyson Jul 30 '18 at 10:55
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/177013/discussion-between-simon-thomsen-and-adyson). – Simon Thomsen Jul 30 '18 at 10:57

1 Answers1

0

well on a distributed infrastructure it's better to use memcached as a session saving and alteration. It's more robust and non redundant on saving sessions on shared resources.

MWA
  • 51
  • 2
  • 11