0

Updated, see the section regarding Symfony session configuration in PHP.ini

I have a website that contains multiple pages that are created using PHP and the Symfony v2.8 framework. For most of the pages in my website the default HTML/PHP session timeout is fine, but I have a couple of webpages that I'd like to keep the HTML/PHP session 'alive' indefinitely while the user is on those webpages.

I'm not the only one asking about this, see How to extend session cookie lifetime in Symfony?, which doesn't actually have an answer that extends the session 'life' of selected webpages as of this date, it only shows how to set the session expiration of all webpages in the site that use the same config.yml page, which is definitely not what I want to do.

I may be confused about the sessions, but from my understanding there seems to be two sessions, one for the HTML webpage that the user sees in the browser and one for PHP that controls how long variables keep their assigned values.

Either way, I have a login webpage where after successfully logging-in a login-expiration limit value is generated and then passed to the pages that the user navigates to within my website. As the user navigates to different page within my website or one of those web pages performs AJAX calls, the server checks that the requests occurred before the webpage's login-expiration limit value. If so then the request is honored and the new content is returned to the browser. If not, then the user is redirected to a webpage that tells them that they have been logged-out and provides a link to the original login webpage where the they may again log back in to continue to use my website.

This login and login-expiration limit is actually an artificially mechanism that ends and restarts the HTML/PHP session when new webpages are served to the user's browser, which works fine. If the user waits long enough, then the real PHP session expires and the server redisplays the initial homepage, where the user can choose to log back in, except that the PHP variables values that were set in the previous session are lost to the new session. This is a problem for me because the original URI query parameters in the user's original homepage request are used to configure the overall look of my website, which are lost, and the server sends the default webpage to the browser.

For most of my webpages, except for the loss of the PHP variable values, this is exactly what I want, but on a few webpages which act like a kiosk, I want to have the HTML/PHP sessions not timeout and solely rely on the regularly recurring AJAX calls that refresh the contents on those webpages and keep them alive. This works well for extending my artificial login limit, but these AJAX calls aren't preventing the HTML/PHP sessions from expiring, which eventually is seen when the user tries to navigate away from these pages or when a server error occurs when a server-side variable has lost its value.

How can I programmatically extend the 'life' of the HTML/PHP sessions with each AJAX call that the session receives or set it to indefinitely stay 'alive' when these pages are first served?

Symfony session configuration in PHP.ini

I'm including some of the entries in the PHP.ini Session section that configure how sessions are implemented in my Symfony/PHP.

[Session]
⫶
; Initialize session on request startup and recommended by Symfony v2.8.

session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.

session.cookie_lifetime = 0
⫶
; Defines the probability that the 'garbage collection' process is started
; on every session initialization. ...

session.gc_probability = 1

; Defines the probability that the 'garbage collection' process is started on
; every session initialization. ...

session.gc_divisor = 1000

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.

session.gc_maxlifetime = 1440
⫶
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.

session.cache_limiter = nocache

; Document expires after n minutes.

session.cache_expire = 180
⫶

Here is an official Symfony v2.8 article on how to interact with Symfony sessions, Session Management, but it doesn't talk about extending sessions. The session.cookie_lifetime = 0 setting assignment from the PHP.ini Session section controls the "Lifetime in seconds of cookie or, if 0, until browser is restarted". However, this doesn't actually appear to work as described, because after a while, at least an hour or more, if the user navigates to another webpage in my site, away from one of the webpages that use AJAX calls to update the user's login expiration limit to prevent the user from being automatically logged-out, the user IS logged-out and redirected to my website's homepage, but the variables controlling how the website looks loose their values and the homepage is shown with the default values.

Note, in this case, the user being logged-out isn't a problem, but the loss of the variables is.

Saving these values in the browser's local storage doesn't seem like a good idea because the server would have to send a page to the user's browser and have the new webpage fetch and send them back to the server so that these values could be used in creating additional webpages.

Storing these values in a database also is a problem because the server has lost the variables that would allow the web-app to look-up the database record. Note, the webpages already send these login-id and login-expiration limit values in the page request, but these can't be used to access server-side variables after they are lost. Also, there is the problem that anything stored in the database would simply clutter up the database should a user not logout and simply go to a website outside my own, but not return. I'd need to implement additional garbage collection to prevent this. This is not optimal unless there really isn't a better way to do what I'm trying to do in order to maintain the server-side variables in a user's session.

Thank you.

Stephan Vierkant
  • 9,674
  • 8
  • 61
  • 97

1 Answers1

1

You can use subdomains for those specific pages where you want extended session time. For those subdomains you can increase the timeout keeping the main domain session timeout unchanged.

e.g let assume your domain is abc.com which has a timeout of 30 min. You need to have a subdomain like mno.abc.com and have a timeout of 60 min. When user clicks on the specific links with mno.abc.com they will have 60 min session timeout. You can share session information between abc.com and mno.abc.com see Sharing SESSION Variables Between Multiple Subdomains for additional reading.

Viswanath Polaki
  • 1,357
  • 1
  • 10
  • 19
  • Viswanath, Interesting idea, thanks. The session 'life' appears to be controlled by a common PHP.ini file in the root level etc directory, so all of my domains and sub-domains would be using this. How would I cause a sub-domain to have it's own PHP.ini? –  Oct 25 '20 at 11:11
  • Is there really no way to dynamically extend the session other than using different sub-domains and different PHP.ini. I've amended my original question to note that my PHP.ini already is set to keep the session 'alive' until the browser closes or garbage collection marks the variables for collection after 1440 second, which is considerably longer than what I'm seeing when my server-side variables loose their values after only and hour or so. So using a sub-domain with a different PHP.ini file won't help until this premature expiration problem is addressed. –  Oct 25 '20 at 11:16
  • Yes, it is possible to have different timeouts for different domains by using php inbuilt function ini_set. Refer: https://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php – Viswanath Polaki Oct 27 '20 at 03:13
  • Viswanath, thanks again. I looked at your suggested link and the related pages, but came away with a question about the following: session.gc_maxlifetime specifies the integer number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor). Fine, but in my next comment I show the Note on this subject, and it seems that the the Garbage collection across pages can affect each other. See my next comment. –  Oct 30 '20 at 12:50
  • Note: If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path. I'm thinking that the session's script would be any script run in the session since it started, so extending the Garbage Collection to keep variables from losing their values relies on the minimum value set in any page or the PHP.ini, so this can't actually be changed, unless I change the session data place per script. Right? –  Oct 30 '20 at 12:56
  • When a user comes to my web-site's home page, the Garbage Collection timer for the user's session starts, the user logs in and "I" begin to keep track of the user's information in server-side global storage, then the user navigates around the pages in my site, each having different php scripts to create the pages, the session's global server-side variables WILL be lost after the minimum Garbage Collection timer duration set by any script expires starting from the time that the user came to my website's home page (1440 seconds default). Navigating through the pages doesn't extend the session. –  Oct 30 '20 at 13:08
  • That is unless I change the session.save_path or the sub-domain. This isn't discussed anywhere else. I've seen lots of discussions about changing the Garbage Collection parameters, even though I don't understand any of it, but if the note about Garbage Collection save path was as I read it, then none of this would have any affect, and changing to sub-domains and different save paths would be the only way to make all of this work. How are banks doing this, wouldn't I see the sub-domain change in ny browser's URL line? –  Oct 30 '20 at 13:14