OK after days of frustration I have stumbled across and issue with sessions, unfortunately I am not sure if my the solution I found will become a security issue or Risk.
I was working on a php project on my localhost logged in the app and I could walk away for 5,10 even 15 minutes and come back and i could still proceed through my application logged in. When I uploaded my project to test online. if i logged in I could refresh in 2 - 3 minutes and would have to log back in.
I tried everything from about 50 posts on here and got no result. so I decided to read every line of phpinfo on my localhost and my host to compare. came up with nothing.. well I in fact over looked a detail..
So this morning with coffee a very little hair left.. I found the problem.
session.cache_expire 180
now this closes at 3 minutes regardless of the session lifetime. also on localhost,
session.gc_divisor 1000
the session.gc_divisor is 1000 on localhost but on my web host its 100,
Now I have a file called sessions.php and in it is my session_start. the solution i found was here. http://php.net/manual/en/function.session-cache-expire.php
so i have changed my session file to the following.
session_cache_limiter('private');
$cache_limiter = session_cache_limiter();
session_cache_expire(30);
$cache_expire = session_cache_expire();
session_start();
ob_start();
the result is when i leave my browser open for longer than 3 minutes it no longer requires me to log back in.. But is this a proper solution?
You should be aware that session.cache_expire has nothing to do with the lifetime of a PHP session. It's to do with HTTP caches. Is there a proxy in front of your web server that is caching content? That's what that setting controls.
In terms of PHP session lifetime here are your key settings:
session.gc_maxlifetime - The number of seconds before a session is marked as "garbage". This is enforced by the server
session.cookie_lifetime - The number of seconds before the session cookie expires. This is enforced by the client (web browser)
You have to make sure both are complimenting each other. If the server side expired before the client side, the client will present the session cookie and the server will reject it. If the client cookie expires before the server side, the browser won't send the session cookie at all and the server will send a new one thinking it's a new client.
As for garbage collection itself, it's not going to impact session lifetime either as this only comes into play for sessions that have been marked as "garbage" by the server. There are two key settings:
session.gc_probability
session.gc_divisor
The easiest way to think of these is as a fraction. For example:
session.gc_probability = 1
session.gc_divisor = 100
There will be a 1 in 100 chance that a client request will trigger the garbage collector. So, 1 in 100 clients get a small performance degradation (not really - it's very fast). It's probably set to 1000 on your production server because it's handling a lot of traffic. That is, if you get 1000 requests in a minute, you might only want the garbarge collector to be invoked about once a minute.