I have a site running on apache and using php. Sometimes I have users on the site doing work and then they suddenly lose their session. I start the session with
session_start()
and it puts a PHPSESSID cookie in the user's browser. I also have
session.cookie_lifetime=0
in my php.ini file. I also do a javascript long poll every 5 minutes to see if the session is still active.
Here is the php code that I use to see if the session is still active
public function actionPollLogin()
{
if (isset($_SESSION['user']['id']))
{
echo $this->renderAjaxJson(array("success"=>1));
} else {
echo $this->renderAjaxJson(array("success"=>0));
}
}
If success == 0 then I return the user to the public part of the site. But like I said, the weird thing is that the user can be actively using the site and then idle for 20 seconds and get logged out. And for testing, I dump the session to the screen that the users are returned to confirm the session is dead.
What settings to I need to tweak to allow active users to stay logged in.
Here are my current php.ini settings
session.hash_bits_pre_character=5
session.hash_function=0
session.cache_expire=180
session.cache_limiter=nocache
session.referer_check=
session.gc_maxlifetime=1440
session.gc_divisor=1000
session.gc_probability=1
session.serialize_handler=php
session.cookie_httponly=
session.cookie_domain=
session.cookie_path=/
session.cookie_lifetime=0
session.auto_start=0
session.name=PHPSESSID
session.use_only_cookies=1
session.use_cookies=1
session.use_strict_mode=0
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
So after 24 minutes your sessions expire server-side and are potentially cleaned up.
The solution for me was to add this line after my session_start();
$_SESSION['activity']=time();
This updated the last modified date of the session file everytime the user interacted with the site.