> I'm using sessions for authentication in a content management system and > experiencing rare but occasional problems with the session apparently > expiring unexpectedly. I've checked the manual and I've reviewed the session > configuration on the commericial host I'm using. I don't see anything wrong, > but there are some settings that I don't understand: > > session.gc_maxlifetime 1440 -- Garbage collection after 24 minutes? Does > this mean that the session id and session variables will be cleared after 24 > minutes of inactivity? (Surely not; that doesn't make sense.) And cleared > from where, the directory specified in session.save_path?
Yes and Yes. After 1440 seconds of not being accessed, they are deleted the next time the garbage collection routine is ran. > session.save_path /tmp -- The session id and session variables are stored in > this directory, and it's more secure to specify a different directory. Is it > more stable to specify a different directory? Is it more stable to use a > database? Depends on what else your server is doing and how much traffic you get. If you get a lot of traffic, there are going to be a lot of session files sitting in this directory. Keeping it separate from /tmp will just reduce the number of files in the directory. A database adds to much overhead and is only needed in special cases, IMO. > session.cache_expire 180 -- The cache expires after 3 hours? If > session.cache_limiter is set to nocache, is session.cache_expire relevant? Not sure on that one, but it seems logical. > Basically, I want users to be able to stay logged in to the content > management system indefinitely, but my tests show that after about 2 hours > of inactivity, the session expires. (Going to a different page causes the > session variable that identifies the user to be checked with > session_is_registered(), and access is denied if the variable isn't > registered.) Some users have reported this happening after about 30 minutes. Garbage collection isn't exact. It's triggered (by default) on 1% of the hits to your site. So if two are triggered close together, then someone can be logged out rather quickly at 30 minutes. If there is a long pause where the probability just doesn't trigger the garbage collection, then it may take longer. > I'm on LInux, PHP 4.1.2, session.cookie_lifetime setting is 0, > session.use_cookies setting is On, session.use_trans_sid setting is 1, and > other configurations as mentioned above. Why are sessions expiring? Comments > and directions to more information are appreciated. Sessions are lost when the file is cleaned up by garbage collection or when the user closes the browser (by default). So, if you wanted to use the existing session handling routines, you could set the cookie lifetime to a large value so the cookie isn't deleted and set the gc_maxlifetime to a large value, also. You could possibly turn the gc_probability to zero, go garbage collection is never triggered. Another option would be to use session_save_path() within your application to save the session files to a separate directory that's writable by the web server. Since this directory is different from session.save_path specified in php.ini, garbage collection will never occur, so the files will not be deleted. You can also define your own session handler to do what you want. Why not just use a cookie to "remember me" though, instead of keeping the sessions persistant? You're going to end up with a file on your computer for _every_ person that visits the site and the file will not go away. Seems like it'd be better to just use a cookie and load their data if it's not already present, like on their first visit. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
