Session issue

[btaber]

I have the session setting in the ini defaults. For some reason, the sessions seam to be expiring after a few hours. I thought the sessions would be valid until the browser was closed. Am I missing something? Does the browser expire session cookies even though it was never closed? As a matter of fact, it seams that tek-tips does the same thing. If you are in a forum and you leave it alone for a couple of hours, if you click on the forum again, it goes to the home page...

Brian

 

[sleipnir214]

There are two components to a session variable.

First is the session ID cookie on the browser. By default, that cookie is set to last until the browser is shut down.

However, a matching session store (by default on the server's filesystem) must also exist. Without it, the session actually still works, but all the variables in it are missing.

PHP has a garbage-collection mechanism which automatically clears out session stores. Every time session_start() is invoked, PHP randomly picks a number. If that number is equal to or smaller than session.gc_probability divided by session.gc_divisor, then PHP starts garbage-collection.

PHP decides what is garbage based on session.gc_maxlifetime. Any session stores older in seconds than that value will be deleted when the garbage-collection mechanism fires off. (Every time you run a script that manipulates sessions, the time/date stamp on that file is updated.)

So it may very well be that your browser is sending a session ID to PHP, but that PHP has already deleted the session store matching that ID. In which case your session variables will not be available.




Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[btaber]

That is what I was figuring... the gc is set to 1440, I thought the gc was in minutes? so that would be 24 hours, correct?

 

[sleipnir214]

No, the PHP online manual and the comments in the default php.ini both state that ssession.gc_maxlifetime is a number of seconds.

So, that's 24 minutes.

Just keep in mind that that's 24 minutes without any activity from that particular user. Every time a user hits a script which manipulates sessions, even if that manipulation is only to invoke session_start(), then the time/date stamp on the session datafile is updated.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[btaber]

Ok, so with 1% probablility, the session could be deleted in 24 minuites. Makes more sense now. I decided to handle the session for this one site on a mysql database so I can be sure of things without affecting any of our other customers. Thank you for your information.

 

[sleipnir214]

On sites I've created where sessions are used heavily, I let my clients decide how long an inactive session should last.

Then I set session.gc_probability to 1, session.gc_divisor to 1, and session.gc_maxlifetime to the client's required number of seconds.

I've always run Apache and PHP for client sites. If multiple clients with differing session save time requirements are on the same server, I set the values in httpd.conf



You mentioned using MySQL as your session store. I have a FAQ in this forum which shows how I did that through PHP's session handling mechanism: faq434-2037

Or are you going to bypass PHP's session-handling mechanism entirely?



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[btaber]

Yes, I am going to use my own session handler. That FAQ you have is basically like the script I have now. Works great for another site I did, I wanted more security for the session information. I kind of forgot I had it

Brian