Prevent session expired in PHP Session for inactive user

Question

I have a problem with my application: my application has many forms and need about 1 hour to finish this form because the form is dynamic (can add other forms). The problem is: the session of my web server is 24 minutes. When user fill the form, they spent so much time and the session timed out because server recognize that the user is inactive. It's very annoying when form submitted, most data was lost and the user is returned to the login page. I have tried to make my session expired in 10 hours with this code:

ini_set('session.gc_maxlifetime', '36000');

But it's not working in my server, is it possible my server preventing ini_set() function?

So, what should I do for solving this problem? Can I prevent session timeout so that the session can be expanded to 10 hours? Or can I disable session expiration?

Thanks

You can implement your own session system based on cookies and databases or files. — jcubic, May 11 '11 at 10:22
Please select one of the answers as the answer to your thread. — cbroughton, May 11 '11 at 23:41
@jcubic -> yes sir, i have implemented cookies. so, if session expired, the cookies still saving the login data, but when the user submit the form, the page redirecting to starting page (the page where we first look when login success). the redirect route is `form page (when submit, session expired) -> login page (if cookies true) -> starting page` so the data lost — dian, May 13 '11 at 09:37
I mean, don't use $_SESSION (session_start) use cookies and save your variables in database or files. When user login create a token and save it in cookie and store your variables based on this token. — jcubic, May 14 '11 at 17:42

score 48 · Accepted Answer · answered May 11 '11 at 12:34

48

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

answered May 11 '11 at 12:34

Prikkeldraad

1,347
9
14

3

can't believe that one of the best solutions for that problem has got 0 upvotes till now -.- just increasing the session-lifetime should be the worst solution at all - it is a huge security risk and i never saw a web-application where _every_ usecase must have a long-living-session business-logic... so, make some ajax-calls on the use-case that needs that, and leave the session-timeout-time _untouched_ on the servers-side! geees... – jebbie Feb 12 '13 at 20:13
2

Could you give an example code? I have no experience with ajax. – Adam Aug 23 '14 at 08:41
2

Here, is the example: http://stackoverflow.com/questions/12597176/how-to-keep-session-alive-without-reloading-page – ujash joshi Dec 05 '16 at 09:08
so what happens that now chrome suspends background tabs? – sivann May 23 '18 at 13:04

score 37 · Answer 2 · answered Feb 25 '15 at 08:43

37

Here an example to prevent session timeout by using a jQuery Ajax call:

var refreshTime = 600000; // every 10 minutes in milliseconds
window.setInterval( function() {
    $.ajax({
        cache: false,
        type: "GET",
        url: "refreshSession.php",
        success: function(data) {
        }
    });
}, refreshTime );

in the refreshSession.php you can do something like session_start()

answered Feb 25 '15 at 08:43

MDeuerlein

690
1
8
13

3

best answer, instagram and facebook use this method – webmaster Mar 06 '15 at 16:35
This is a nice answer but I don't understand the advice to do a session_start on that script since for example on my case the session_start has already happened. Could somebody clarify this point to me please? – manou Jul 25 '16 at 01:47
1

There is no session script on this one. This is javascript to cause your user to load something from your server. (refreshSesson.php). The code is Javascript and looks to be using jQuery. The user (in this case ajax call) hitting your refresh page will restart your session assuming you have the session_start in your refreshSession.php file. – Dave Jul 28 '16 at 22:42

score 5 · Answer 3 · answered May 11 '11 at 11:40

5

I have had the same problem in the past. What I did to get around this was to place these two functions in a config file which gets included in every file.

session_set_cookie_params(86400);
ini_set('session.gc_maxlifetime', 86400);

and just for safe measure this line in my .htaccess file

php_value session.gc_maxlifetime 86400

answered May 11 '11 at 11:40

ChazUK

744
4
26

I have: `session.cookie_lifetime` = 200000; `session.gc_maxlifetime` = 600000. However this doesn't help and the data gets sometimes lost upon form submit. Any thoughts, please? – Andre Polykanine Sep 10 '16 at 23:53

score 3 · Answer 4 · edited May 23 '17 at 11:54

3

Changing session.gc_maxlifetime using ini_set should work as long as you change the option before calling session_start. So doing the following should work:

ini_set('session.gc_maxlifetime', 36000);
session_start();

You can also change that option in other contexts (see ChazUK’s answer).

But I wouldn’t set the cookie’s lifetime to a fixed value but make the session’s cookie a real session cookie that lasts until the browser session is ended (i.e. on browser close). You can do this by setting session.cookie_lifetime to 0.

Do also consider that PHP’s session expiration model is a little quirky as the lifetime calculation is based on the session data’s last modification date.

edited May 23 '17 at 11:54

Community

1
1

answered May 11 '11 at 11:50

Gumbo

643,351
109
780
844

1've tried using `ini_set('session.gc_maxlifetime', 36000);` before `session_start();` but it's not working on my server. i ignore my web in more than 24 minutes, and when i refresh it, it redirest to login page. is it possible my server preventing ini_set() function? or what? thank you sir – dian May 13 '11 at 07:10
Ok, i see, is it different between `ini_set('session.gc_maxlifetime', '36000');` and ini_set('session.gc_maxlifetime', 36000); sir ? see the number single quote :) – dian May 13 '11 at 07:14
i am using single quote in the number :D – dian May 13 '11 at 07:14
@dian: No, using quotes or not doesn’t make any difference in this case. But did you check whether the session ID is the same? – Gumbo May 13 '11 at 07:22

score 0 · Answer 5 · answered May 11 '11 at 10:26

How long a session cookie lasts is set when you create the session cookie. If you use the setcookie method, an argument of the method is the LENGTH for which you would like the cookie to last.

Please refer to the PHP manual on the method for additional information: http://php.net/manual/en/function.setcookie.php

RajiGates RajeshKumar · Answer 6 · 2022-04-08T01:40:32.990

0

<script>
    var refreshTime = 180000; // every 3 minutes in milliseconds
    $(document).ready(function(){
 setInterval(sessionCheck,refreshTime);
});
function sessionCheck() {
    $.ajax({
        cache: false,
        type: "GET",
        url: "refreshSession.php",// <?php session_start(); ?>
        success: function(data) {
        }
    });
    }
</script>

edited Apr 08 '22 at 01:40

answered Apr 08 '22 at 01:34

RajiGates RajeshKumar

31
3

Prevent session expired in PHP Session for inactive user

6 Answers6

Linked

Related