Session timeout 2

[rob51383]

Can anyone please explain to me why this works (In their own words, I have already ready everything that exist about sessions trying to get it to work). I just want to make sure it works because that is how it should work before I move on and accept this logic. Here is the code:

<?php
ini_set('session.gc_maxlifetime', 20);
ini_set('session.gc_divisor', 1);

session_start();

if(isset($value))
 {
 $value++;
 }
else
 {
 session_register('value');
 $value = 1;
 }

Print "You have been here $value times. <br>";

print '<a href="_test.php">Refresh</a>';

?>

What gets me is if I only set "ini_set('session.gc_maxlifetime', 20);" it will not run the garbage collector after 20 seconds (I am not sure how long before it runs, I have not waited long enough).

But when I set "ini_set('session.gc_divisor', 1);" the session data will be lost after about 40 seconds every time (Why not 20?)

From my understanding of gc_divisor it determines probability that the GC runs (gc_probability/gc_divisor). In my case I set it to '1' so it is 1/1 (100%). But this does not really make since either because default is 100 (1/100 = 1%) but that is saying that GC will only run 1 out of 100 session starts, which is not the case because if I set nothing I loose session data every 1440 seconds (session.gc_maxlifetime default value) consistently.

The whole purpose of doing this is I want to make it so that sessions ALWAYS last until the user closes their browser window. I cant figure this out so I will instead set session.gc_maxlifetime to a REALLY high number. Unless of course there is an easier way to do this!

 

[rob51383]

Mybe it is kind of difficult to see what I am asking so simply put:

Why does the session only get deleted at the specified time when I specify "ini_set('session.gc_divisor', 1);"

If I do not specify the divisor it will not delete the session data after the specified gc_maxlifetime.

Also, why does it take 40 seconds to delete the data when I specify 20 seconds?

Thanks for any insight!

 

[sleipnir214]

Have you taken a look at faq434-4908 ?

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rob51383]

Yes, I have seen your FAQ (about 20 times) but I do not need a general explination, I have quite a specific question with coded examples. As far as any FAQ or php.net links, I have seen them all. I can not figure out my problem with logic, and I think I basically re-wrote your faq in my question to show I understood everything =)

I just set session.gc_maxlifetime to 86400 (24hr) but it expired much sooner (I just set it and went to sleep). I am thinking it expired in the standard 1440 seconds. I just started a new session to see if 1440 seconds is correct.

I even included the code below in my script to make sure php.ini was updated, it is returning the value I set: echo 'Max Life = ' . ini_get('session.gc_maxlifetime') . "\n";

What I am really looking for is something I can look at to troubleshoot as to why my sessions do not last as long as the browser is open! A coded example, additional code I can pass to test it, anything!

What seems strange is when I set gc_maxlife & gc_divisor really low, the session exopires soon, when I set it high it does not expire at a high value.

I am about dead from looking at FAQ, refferences, articles and basically reading the internet. So if someone could try and comment on my specific issue that would be great!

 

[sleipnir214]

For PHP to be able to populate $_SESSION, two things must be in order.

First, the data must be available in a session store. Second, PHP must be able to open the correct session store.


The php.ini settings session.gc_maxlifetime, session.gc_probability and session.gc_divisor control how long the session store is allowed to exist on the filesystem of the server. gc_probability and gc_divisor are the numerator and denominator of a fraction. If PHP generates a random number between 0 and 1 and that number is smaller than the fraction gc_probability over gc_divisor, PHP's session garbage collection takes place. When it does take place, all session stores older in seconds than session.gc_maxlifetime are deleted.


The second requirement, PHP's being able to find the correct session store, is dependent on the user's browser sending a session ID back to the server. If you are passing the ID on the URL, there are no php.ini settings to worry about. If you are passing the ID in a cookie (the default), then session.cookie_lifetime comes into play. This sets the length of time, in seconds, that a session cookie is supposed to exist in the browser.


If your sessions are not lasting as long as they should, you must debug two things: is the session store still there, and is the session ID being sent.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rob51383]

How do I check if the session store is still there?

When I do not set "ini_set('session.save_path', '$path')" the path defaults to '/temp' but no files are ever created there. When I set the save_path to my $path the session files appear in the directory I set.

I am not sure what is causing what but sometimes a cookie is created on the client, sometimes not. Sometimes the URL's are appended to included the PHPSESID, sometimes not.

Sometimes when a cookie is not set on the client and the PHPSESID is not added to the URL the session will still register, sometimes not.

Does anyone have any sample code I could run that will:

1. Set a session cookie on the clients machine if cookies are enabled.

2. if cookies are NOT enabled then append all the URLS to include the PHPSESID (In accordance with 'url_rewriter.tags'). If cookies are enable, do not append URL's.

3. Make the session data save for 30 days if cookies are enabled on the client. If cookies are not enabled, save session data untill the browser is closed.


Maybe i am asking too much but I have seriously tried EVERYTHING and every setting but I can't get the combination correct to do what I want. I really like to figure things out on my own but this is killing me here

I can guarantee a star will be issued for whoever can figure this out, as I am asking alot!

 

[sleipnir214]

When I do not set "ini_set('session.save_path', '$path')" the path defaults to '/temp' but no files are ever created there. When I set the save_path to my $path the session files appear in the directory I set.

On what operating system are you running PHP? On unix-like OSes, the directory name is typically /tmp, not /temp.

1. Set a session cookie on the clients machine if cookies are enabled.

<?php
session_start();
?>

Should do it. But this depends not on code, but on php.ini settings. What are is the setting of session.use_cookies? session.use_only_cookies?

2. if cookies are NOT enabled then append all the URLS to include the PHPSESID (In accordance with 'url_rewriter.tags'). If cookies are enable, do not append URL's.

<?php
session_start();
?>

Might do it. But to the best of my knowledge, there is no deterministic way to know whether a browser has cookies turned off. It's just that the site doesn't work right. You generally have to make a decision that you will either:[ul][li]use URLs for the session IDs and set session.use_cookies to 0 and session.use_trans_sid to 1 or [/li][li]tell your users they have to have cookies turned on and set session.use_only_cookies to 1 and session.use_trans_sid to 0[/li][/ul]

3. Make the session data save for 30 days if cookies are enabled on the client. If cookies are not enabled, save session data untill the browser is closed.

Set session.gc_probability to 1
Set session.gc_divisor to 1
Set session.gc_maxlifetime to 2592000
Set session.cookie_lifetime to 2592000
and
[ul][li]use URLs for the session IDs and set session.use_cookies to 0 and session.use_trans_sid to 1 or [/li][li]tell your users they have to have cookies turned on and set session.use_only_cookies to 1 and session.use_trans_sid to 0[/li][/ul]


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rob51383]

Ok, I think I finally got it. I can't do what I want to do with sessions! At least I finally got the sessions to register in the manner I expected. I think it is the combination of ini settings you gave me. This is what gives me the expected results of expiring at 20 seconds:

ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
ini_set('session.gc_maxlifetime', 20);
ini_set('session.cookie_lifetime', 20);
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid', 0);

One problem I have though is it will not let me set: ini_set('session.use_trans_sid', 0); it always stays on.

Here is my ini settings pertaining to sessions after running the above code (it is /tmp, was a typo, sorry):

Directive                   Local Value       Master Value 

session.auto_start          Off               Off 
session.bug_compat_42       On                On 
session.bug_compat_warn     On                On 
session.cache_expire        180               180 
session.cache_limiter       nocache           nocache 
session.cookie_domain       no value          no value 
session.cookie_lifetime     20                0 
session.cookie_path         /                 / 
session.cookie_secure       Off               Off 
session.entropy_file        no value          no value 
session.entropy_length      0                 0 
session.gc_divisor          1                 100 
session.gc_maxlifetime      20                1440 
session.gc_probability      1                 1 
session.name                PHPSESSID         PHPSESSID 
session.referer_check       no value          no value 
session.save_handler        files             files 
session.save_path           /tmp              /tmp 
session.serialize_handler   php               php 
session.use_cookies         On                On 
session.use_only_cookies    On                Off 
session.use_trans_sid       On                On

Here is some more server info:

Apache: 1.3.34 (Unix)
PHP: 4.3.11




Do you know anything about how most shopping carts work? I have previewed many around the web and tested them. Most of them seem to work with cookies turned off, but I can’t see their code, and there are not so many in PHP to mimic.

I am thinking they get some specific client identifier such as IP or something to use as a client identifier.

Is there anything you can get from the client that will always be unique and will always be able to be retrieved?

 

[rob51383]

Just let it sit there for a few hours with the following code and it still timed out.

What is even more strange is when I start a new session, then delete the cookie on the client that is created from session_start() it still keeps the current session values and I am not passing the PHPSESSID through the URL!

How is it getting the session ID?

<?php


ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
ini_set('session.gc_maxlifetime', 86400);
ini_set('session.cookie_lifetime', 86400);
ini_set('session.use_trans_sid', 0);
ini_set('session.use_only_cookies', 1);




 

session_start();



if(isset($value))
	{
	$value++;
	}
else
	{
	session_register('value');
	$value = 1;
	}

Print "You have been here $value times. <br>";

print '<a href="_test.php">Refresh</a><br><br><br>';

echo 'Max Life = ' . ini_get('session.gc_maxlifetime') . "<br>";

echo 'Divisor = ' . ini_get('session.gc_divisor') . "<br>";

echo 'Save Path = ' . ini_get('session.save_path') . "<br>";



// print_r(session_get_cookie_params());

phpinfo(INFO_MODULES);
?>

 

[btaber]

Not sure if you solved your problem, but if you are running multiple PHP scripts that use sessions and you do not set the gc time in every script, that it gets defaults and gets gobbled up. Best bet is to make sure you set gc in every script and store your own session in a folder only your scripts access. I have run into this and just ened up using DB session management, then no chance of things dissapearing....

 

[rob51383]

I got it working by setting my own cookie with the PDPSESSID. I think the actual problem is the cookie session_start() sets is not sticking with the time parameter set (maybe syntax or implimentation), or maybe it is something else.

I am going to look into DB session management because I would like to avoid cookies all together to be compatiable with all setups that restrict cookies. Thanks for turning me onto DB management (I know nothing about it yet) but it sounds like it is just what I am looking for! I will let you know how it goes.

Here is the code that solved my problem:

<?php
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
ini_set('session.gc_maxlifetime', 86400);
ini_set('session.cookie_lifetime', 86400);
ini_set('session.use_trans_sid', 0);
ini_set('session.use_only_cookies', 1);
ini_set('session.save_path', '/path/to/your/custom/directory/');

if(isset($_COOKIE['cookie'])){$PHPSESSID = $_COOKIE['cookie'];} 

session_start();

$sessionname = session_id();
setcookie ('cookie', $sessionname, 86400, '/', '.yourdomain.com', 0);

if(isset($value))
	{
	$value++;
	}
else
	{
	session_register('value');
	$value = 1;
	}

Print "You have been here $value times. <br>";

print '<a href="_test.php">Refresh</a><br><br><br>';

?>