Re: [PHP] PHP sessions expiring early
On 07/09/11 13:42, Richard Quadling wrote: On 7 September 2011 12:32, Paul Waring wrote: On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waringwrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 How is your code determining if they need to be redirected back to the login page? The test is whether two $_SESSION elements are set and match ones in the database, plus whether the last page view by the user (stored in the database, updated on each request) was less than one hour ago. What changes that information? A page load changed the 'last page view time'. Nothing changes the other session data, except an explicit logout (which sets $_SESSION = array() and calls session_destroy). Can you monitor it externally? I'm not sure what you mean by 'externally'. Most of the site requires a login, so it's not possible for a third-party to monitor it if that's what you mean. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waring wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:20, vikash.i...@gmail.com wrote: Just confirm once that you are not calling session_destroy somewhere. The only place session_destroy is called is in the logout function, which itself is only called if a user clicks the logout link. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:15, Richard Quadling wrote: How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Session A is killed, your last login is always the current one. Do you allow multiple, simultaneous logins per account? No, but then each user is accessing their account from a single machine and browser anyway (i.e. they don't switch from desktop to laptop and then back again), so we don't even have people trying to have simultaneous logins. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
Just confirm once that you are not calling session_destroy somewhere. Thanks, Vikash Kumar -- http://vika.sh On 7 September 2011 16:46, Richard Quadling wrote: > On 7 September 2011 11:20, Paul Waring wrote: > > Can anyone suggest things which I could try? I cannot work out why this > > problem is happening for some users but not me. > > For browsers/extensions that do automatic read ahead (I load page A > and linked pages B and C are also retrieved). > > Is the potential for cached pages to be returned for a user NOT logged in? > > > > -- > Richard Quadling > Twitter : EE : Zend : PHPDoc > @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring wrote: > Can anyone suggest things which I could try? I cannot work out why this > problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). Is the potential for cached pages to be returned for a user NOT logged in? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring wrote: > I'm having trouble with a PHP website which requires users to be logged in > to access all content other than the home page and a couple of static pages > (about us, contact us etc.). Several users have said they are being logged > out every few minutes whilst using the site - they can login but will be > shown the login form again after a few minutes. I can't confirm this myself > as the site seems to work fine for me - even using the same browser as they > are and under their accounts - but I'm wondering if this could be a problem > with the session settings? > > The current settings I have are: > > session.auto_start Off > session.bug_compat_42 On > session.bug_compat_warn On > session.cache_expire 180 > session.cache_limiter nocache > session.cookie_domain no value > session.cookie_httponly Off > session.cookie_lifetime 0 > session.cookie_path / > session.cookie_secure Off > session.entropy_file no value > session.entropy_length 0 > session.gc_divisor 100 > session.gc_maxlifetime 3600 > session.gc_probability 1 > session.hash_bits_per_character 4 > session.hash_function 0 > session.name PHPSESSID > session.referer_check no value > session.save_handler files > session.save_path /shared/sessions > session.serialize_handler php > session.use_cookies On > session.use_only_cookies Off > session.use_trans_sid 0 > > The only options I have changed from the defaults are gc_maxlifetime, > gc_probability and save_path. There are several sites on the same server, > some are https, others just plain http. They all use the same session > options. session_start() is called once on every page. > > The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch > 0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old version > before anyone tells me to upgrade (it's the latest stable version in Debian > Lenny). :) > > Potential problems I have already ruled out: > > 1. I don't think it's a browser problem as the users have a variety of > browsers and versions (we log the user agent for each login, they're mostly > IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the > problem using the same browsers on my machine. > > 2. The server time is correct. > > 3. The sessions aren't stored in a directory which is being regularly > cleared out, such as /var/lib/php5 or /tmp. > > 4. The web server has permission to write to the save_path directory, and I > can see session files being created. > > 5. No output buffering functions are being used. > > Can anyone suggest things which I could try? I cannot work out why this > problem is happening for some users but not me. > > Thanks in advance. > > Paul How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Do you allow multiple, simultaneous logins per account? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 11:47, Nilesh Govindarajan wrote: On 09/07/2011 03:50 PM, Paul Waring wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. Yes, I'm aware of that. However, users are being logged out after a few minutes, not one hour of inactivity (which is what I'd expect with 3600 seconds). If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. If you mean the expiration time of the session cookie, it is set to 0, which means it shouldn't be deleted until the browser is closed (or the user logs out, at which point it is deleted immediately). Paul -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 09/07/2011 03:50 PM, Paul Waring wrote: > I'm having trouble with a PHP website which requires users to be logged > in to access all content other than the home page and a couple of static > pages (about us, contact us etc.). Several users have said they are > being logged out every few minutes whilst using the site - they can > login but will be shown the login form again after a few minutes. I > can't confirm this myself as the site seems to work fine for me - even > using the same browser as they are and under their accounts - but I'm > wondering if this could be a problem with the session settings? > You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. For the other case, I'm clueless. -- Nilesh Govindarajan http://nileshgr.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php