> From: "1LT John W. Holmes" <[EMAIL PROTECTED]> > >> I'm using sessions for authentication in a content management system and >> experiencing rare but occasional problems with the session apparently >> expiring unexpectedly. I've checked the manual and I've reviewed the > session >> configuration on the commericial host I'm using. I don't see anything > wrong, >> but there are some settings that I don't understand: >> >> session.gc_maxlifetime 1440 -- Garbage collection after 24 minutes? Does >> this mean that the session id and session variables will be cleared after > 24 >> minutes of inactivity? (Surely not; that doesn't make sense.) And cleared >> from where, the directory specified in session.save_path? > > Yes and Yes. After 1440 seconds of not being accessed, they are deleted the > next time the garbage collection routine is ran.
So how did my tests of going up to 2 hours without activity succeed? >> session.save_path /tmp -- The session id and session variables are stored > in >> this directory, and it's more secure to specify a different directory. Is > it >> more stable to specify a different directory? Is it more stable to use a >> database? > > Depends on what else your server is doing and how much traffic you get. If > you get a lot of traffic, there are going to be a lot of session files > sitting in this directory. Keeping it separate from /tmp will just reduce > the number of files in the directory. > > A database adds to much overhead and is only needed in special cases, IMO. > >> session.cache_expire 180 -- The cache expires after 3 hours? If >> session.cache_limiter is set to nocache, is session.cache_expire relevant? > > Not sure on that one, but it seems logical. > >> Basically, I want users to be able to stay logged in to the content >> management system indefinitely, but my tests show that after about 2 hours >> of inactivity, the session expires. (Going to a different page causes the >> session variable that identifies the user to be checked with >> session_is_registered(), and access is denied if the variable isn't >> registered.) Some users have reported this happening after about 30 > minutes. > > Garbage collection isn't exact. It's triggered (by default) on 1% of the > hits to your site. So if two are triggered close together, then someone can > be logged out rather quickly at 30 minutes. If there is a long pause where > the probability just doesn't trigger the garbage collection, then it may > take longer. > >> I'm on LInux, PHP 4.1.2, session.cookie_lifetime setting is 0, >> session.use_cookies setting is On, session.use_trans_sid setting is 1, and >> other configurations as mentioned above. Why are sessions expiring? > Comments >> and directions to more information are appreciated. > > Sessions are lost when the file is cleaned up by garbage collection or when > the user closes the browser (by default). So, if you wanted to use the > existing session handling routines, you could set the cookie lifetime to a > large value so the cookie isn't deleted and set the gc_maxlifetime to a > large value, also. You could possibly turn the gc_probability to zero, go > garbage collection is never triggered. > > Another option would be to use session_save_path() within your application > to save the session files to a separate directory that's writable by the web > server. Since this directory is different from session.save_path specified > in php.ini, garbage collection will never occur, so the files will not be > deleted. This seems like the answer I was looking for. So the setting session.gc_maxlifetime only relates to garbage collection from the /tmp directory? If I use session_save_path() to define a different directory for saving session data, then garbage collection will never occur for that directory? > You can also define your own session handler to do what you want. > > Why not just use a cookie to "remember me" though, instead of keeping the > sessions persistant? You're going to end up with a file on your computer for > _every_ person that visits the site and the file will not go away. Seems > like it'd be better to just use a cookie and load their data if it's not > already present, like on their first visit. This is for a content management system, with less than 10 people authorized to access it, so I don't see the number of session files as a problem. Thanks for the info. -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php