Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Paul Waring

On 07/09/11 13:42, Richard Quadling wrote:

On 7 September 2011 12:32, Paul Waring  wrote:

On 07/09/11 12:16, Richard Quadling wrote:


On 7 September 2011 11:20, Paul Waringwrote:


Can anyone suggest things which I could try? I cannot work out why this
problem is happening for some users but not me.


For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).


I hadn't thought of that. However, we audit all user logins and logouts, as
well as all page requests. If the browser was pre-fetching the logout page,
we'd have 'user logout' entries in our logs, but the only notices we have
are for users logging in. If users were being logged out because of
pre-fetching, I'd expect to see each login entry have a corresponding logout
entry.


Is the potential for cached pages to be returned for a user NOT logged in?


Any pages which a user has viewed whilst logged in shouldn't be cached,
assuming the browser is respecting the headers. They are all sent with:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0


How is your code determining if they need to be redirected back to the
login page?


The test is whether two $_SESSION elements are set and match ones in the 
database, plus whether the last page view by the user (stored in the 
database, updated on each request) was less than one hour ago.



What changes that information?


A page load changed the 'last page view time'. Nothing changes the other 
session data, except an explicit logout (which sets $_SESSION = array() 
and calls session_destroy).



Can you monitor it externally?


I'm not sure what you mean by 'externally'. Most of the site requires a 
login, so it's not possible for a third-party to monitor it if that's 
what you mean.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Paul Waring

On 07/09/11 12:16, Richard Quadling wrote:

On 7 September 2011 11:20, Paul Waring  wrote:

Can anyone suggest things which I could try? I cannot work out why this
problem is happening for some users but not me.


For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).


I hadn't thought of that. However, we audit all user logins and logouts, 
as well as all page requests. If the browser was pre-fetching the logout 
page, we'd have 'user logout' entries in our logs, but the only notices 
we have are for users logging in. If users were being logged out because 
of pre-fetching, I'd expect to see each login entry have a corresponding 
logout entry.



Is the potential for cached pages to be returned for a user NOT logged in?


Any pages which a user has viewed whilst logged in shouldn't be cached, 
assuming the browser is respecting the headers. They are all sent with:


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Paul Waring

On 07/09/11 12:20, vikash.i...@gmail.com wrote:

Just confirm once that you are not calling session_destroy somewhere.


The only place session_destroy is called is in the logout function, 
which itself is only called if a user clicks the logout link.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Paul Waring

On 07/09/11 12:15, Richard Quadling wrote:

How do you handle multiple logins?

If I login using my laptop and get Session A for my account and then I
login using my desktop and get Session B for my account, does Session
A get killed?


Session A is killed, your last login is always the current one.


Do you allow multiple, simultaneous logins per account?


No, but then each user is accessing their account from a single machine 
and browser anyway (i.e. they don't switch from desktop to laptop and 
then back again), so we don't even have people trying to have 
simultaneous logins.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread vikash . iitb
Just confirm once that you are not calling session_destroy somewhere.


Thanks,
Vikash Kumar
--
http://vika.sh


On 7 September 2011 16:46, Richard Quadling  wrote:

> On 7 September 2011 11:20, Paul Waring  wrote:
> > Can anyone suggest things which I could try? I cannot work out why this
> > problem is happening for some users but not me.
>
> For browsers/extensions that do automatic read ahead (I load page A
> and linked pages B and C are also retrieved).
>
> Is the potential for cached pages to be returned for a user NOT logged in?
>
>
>
> --
> Richard Quadling
> Twitter : EE : Zend : PHPDoc
> @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Richard Quadling
On 7 September 2011 11:20, Paul Waring  wrote:
> Can anyone suggest things which I could try? I cannot work out why this
> problem is happening for some users but not me.

For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).

Is the potential for cached pages to be returned for a user NOT logged in?



-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Richard Quadling
On 7 September 2011 11:20, Paul Waring  wrote:
> I'm having trouble with a PHP website which requires users to be logged in
> to access all content other than the home page and a couple of static pages
> (about us, contact us etc.). Several users have said they are being logged
> out every few minutes whilst using the site - they can login but will be
> shown the login form again after a few minutes. I can't confirm this myself
> as the site seems to work fine for me - even using the same browser as they
> are and under their accounts - but I'm wondering if this could be a problem
> with the session settings?
>
> The current settings I have are:
>
> session.auto_start      Off
> session.bug_compat_42   On
> session.bug_compat_warn On
> session.cache_expire    180
> session.cache_limiter   nocache
> session.cookie_domain   no value
> session.cookie_httponly Off
> session.cookie_lifetime 0
> session.cookie_path     /
> session.cookie_secure   Off
> session.entropy_file    no value
> session.entropy_length  0
> session.gc_divisor      100
> session.gc_maxlifetime  3600
> session.gc_probability  1
> session.hash_bits_per_character 4
> session.hash_function   0
> session.name    PHPSESSID
> session.referer_check   no value
> session.save_handler    files
> session.save_path       /shared/sessions
> session.serialize_handler       php
> session.use_cookies     On
> session.use_only_cookies        Off
> session.use_trans_sid   0
>
> The only options I have changed from the defaults are gc_maxlifetime,
> gc_probability and save_path. There are several sites on the same server,
> some are https, others just plain http. They all use the same session
> options. session_start() is called once on every page.
>
> The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch
> 0.9.6.2 (cli) (built: Jul  1 2011 16:01:01). I'm aware it's an old version
> before anyone tells me to upgrade (it's the latest stable version in Debian
> Lenny). :)
>
> Potential problems I have already ruled out:
>
> 1. I don't think it's a browser problem as the users have a variety of
> browsers and versions (we log the user agent for each login, they're mostly
> IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the
> problem using the same browsers on my machine.
>
> 2. The server time is correct.
>
> 3. The sessions aren't stored in a directory which is being regularly
> cleared out, such as /var/lib/php5 or /tmp.
>
> 4. The web server has permission to write to the save_path directory, and I
> can see session files being created.
>
> 5. No output buffering functions are being used.
>
> Can anyone suggest things which I could try? I cannot work out why this
> problem is happening for some users but not me.
>
> Thanks in advance.
>
> Paul

How do you handle multiple logins?

If I login using my laptop and get Session A for my account and then I
login using my desktop and get Session B for my account, does Session
A get killed?

Do you allow multiple, simultaneous logins per account?



-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Paul Waring

On 07/09/11 11:47, Nilesh Govindarajan wrote:

On 09/07/2011 03:50 PM, Paul Waring wrote:

I'm having trouble with a PHP website which requires users to be logged
in to access all content other than the home page and a couple of static
pages (about us, contact us etc.). Several users have said they are
being logged out every few minutes whilst using the site - they can
login but will be shown the login form again after a few minutes. I
can't confirm this myself as the site seems to work fine for me - even
using the same browser as they are and under their accounts - but I'm
wondering if this could be a problem with the session settings?



You have set gc_maxlifetime to 3600 seconds. How much expire time have
you set?
Because, every 3600 seconds, session data stored is considered as
garbage and php clears them out itself.


Yes, I'm aware of that. However, users are being logged out after a few 
minutes, not one hour of inactivity (which is what I'd expect with 3600 
seconds).



If your expiration time is more than 3600 seconds, then this will not
work. You need to increase gc_maxlifetime.


If you mean the expiration time of the session cookie, it is set to 0, 
which means it shouldn't be deleted until the browser is closed (or the 
user logs out, at which point it is deleted immediately).


Paul

--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] PHP sessions expiring early

2011-09-07 Thread Nilesh Govindarajan
On 09/07/2011 03:50 PM, Paul Waring wrote:
> I'm having trouble with a PHP website which requires users to be logged
> in to access all content other than the home page and a couple of static
> pages (about us, contact us etc.). Several users have said they are
> being logged out every few minutes whilst using the site - they can
> login but will be shown the login form again after a few minutes. I
> can't confirm this myself as the site seems to work fine for me - even
> using the same browser as they are and under their accounts - but I'm
> wondering if this could be a problem with the session settings?
> 

You have set gc_maxlifetime to 3600 seconds. How much expire time have
you set?
Because, every 3600 seconds, session data stored is considered as
garbage and php clears them out itself.

If your expiration time is more than 3600 seconds, then this will not
work. You need to increase gc_maxlifetime.

For the other case, I'm clueless.

-- 
Nilesh Govindarajan
http://nileshgr.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php