[PHP] PHP sessions expiring early
I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? The current settings I have are: session.auto_start Off session.bug_compat_42 On session.bug_compat_warn On session.cache_expire180 session.cache_limiter nocache session.cookie_domain no value session.cookie_httponly Off session.cookie_lifetime 0 session.cookie_path / session.cookie_secure Off session.entropy_fileno value session.entropy_length 0 session.gc_divisor 100 session.gc_maxlifetime 3600 session.gc_probability 1 session.hash_bits_per_character 4 session.hash_function 0 session.namePHPSESSID session.referer_check no value session.save_handlerfiles session.save_path /shared/sessions session.serialize_handler php session.use_cookies On session.use_only_cookiesOff session.use_trans_sid 0 The only options I have changed from the defaults are gc_maxlifetime, gc_probability and save_path. There are several sites on the same server, some are https, others just plain http. They all use the same session options. session_start() is called once on every page. The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old version before anyone tells me to upgrade (it's the latest stable version in Debian Lenny). :) Potential problems I have already ruled out: 1. I don't think it's a browser problem as the users have a variety of browsers and versions (we log the user agent for each login, they're mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the problem using the same browsers on my machine. 2. The server time is correct. 3. The sessions aren't stored in a directory which is being regularly cleared out, such as /var/lib/php5 or /tmp. 4. The web server has permission to write to the save_path directory, and I can see session files being created. 5. No output buffering functions are being used. Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. Thanks in advance. Paul -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 09/07/2011 03:50 PM, Paul Waring wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. For the other case, I'm clueless. -- Nilesh Govindarajan http://nileshgr.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 11:47, Nilesh Govindarajan wrote: On 09/07/2011 03:50 PM, Paul Waring wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. Yes, I'm aware of that. However, users are being logged out after a few minutes, not one hour of inactivity (which is what I'd expect with 3600 seconds). If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. If you mean the expiration time of the session cookie, it is set to 0, which means it shouldn't be deleted until the browser is closed (or the user logs out, at which point it is deleted immediately). Paul -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? The current settings I have are: session.auto_start Off session.bug_compat_42 On session.bug_compat_warn On session.cache_expire 180 session.cache_limiter nocache session.cookie_domain no value session.cookie_httponly Off session.cookie_lifetime 0 session.cookie_path / session.cookie_secure Off session.entropy_file no value session.entropy_length 0 session.gc_divisor 100 session.gc_maxlifetime 3600 session.gc_probability 1 session.hash_bits_per_character 4 session.hash_function 0 session.name PHPSESSID session.referer_check no value session.save_handler files session.save_path /shared/sessions session.serialize_handler php session.use_cookies On session.use_only_cookies Off session.use_trans_sid 0 The only options I have changed from the defaults are gc_maxlifetime, gc_probability and save_path. There are several sites on the same server, some are https, others just plain http. They all use the same session options. session_start() is called once on every page. The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old version before anyone tells me to upgrade (it's the latest stable version in Debian Lenny). :) Potential problems I have already ruled out: 1. I don't think it's a browser problem as the users have a variety of browsers and versions (we log the user agent for each login, they're mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the problem using the same browsers on my machine. 2. The server time is correct. 3. The sessions aren't stored in a directory which is being regularly cleared out, such as /var/lib/php5 or /tmp. 4. The web server has permission to write to the save_path directory, and I can see session files being created. 5. No output buffering functions are being used. Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. Thanks in advance. Paul How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Do you allow multiple, simultaneous logins per account? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). Is the potential for cached pages to be returned for a user NOT logged in? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
Just confirm once that you are not calling session_destroy somewhere. Thanks, Vikash Kumar -- http://vika.sh On 7 September 2011 16:46, Richard Quadling rquadl...@gmail.com wrote: On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). Is the potential for cached pages to be returned for a user NOT logged in? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:15, Richard Quadling wrote: How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Session A is killed, your last login is always the current one. Do you allow multiple, simultaneous logins per account? No, but then each user is accessing their account from a single machine and browser anyway (i.e. they don't switch from desktop to laptop and then back again), so we don't even have people trying to have simultaneous logins. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:20, vikash.i...@gmail.com wrote: Just confirm once that you are not calling session_destroy somewhere. The only place session_destroy is called is in the logout function, which itself is only called if a user clicks the logout link. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waringp...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 13:42, Richard Quadling wrote: On 7 September 2011 12:32, Paul Waringp...@phpdeveloper.org.uk wrote: On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waringp...@phpdeveloper.org.ukwrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 How is your code determining if they need to be redirected back to the login page? The test is whether two $_SESSION elements are set and match ones in the database, plus whether the last page view by the user (stored in the database, updated on each request) was less than one hour ago. What changes that information? A page load changed the 'last page view time'. Nothing changes the other session data, except an explicit logout (which sets $_SESSION = array() and calls session_destroy). Can you monitor it externally? I'm not sure what you mean by 'externally'. Most of the site requires a login, so it's not possible for a third-party to monitor it if that's what you mean. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php