1

I have a cookie that appears to be getting created correctly, listed in chrome as

Created:    Tuesday, January 22, 2013 4:17:01 PM
Expires:    Thursday, May 2, 2013 5:17:22 PM

I see the session file in the tmp folder on my server, and I can close and re-open the browser and remain logged in. However, after several hours of inactivity, the session file appears to get deleted from the tmp folder.

I solved a previous problem where the session was getting overwritten (session file still existed, but size was 0 bytes) because a script called by jquery function was not preserving the session data. However, in this case the session file disappears.

How can I fix this problem?

jela
  • 1,449
  • 3
  • 23
  • 30

1 Answers1

1

Every session has a limited lifetime. In PHP this lifetime can be set by 

ini_set( 'session.gc_maxlifetime', seconds );

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).

http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

Dont set this to very high values (days or months) If you want to auto-login your users, save a token into a users cookie and create a new session when the old one is gone.

Might want to read this Designing a secure auto login cookie system in PHP

and this Creating a secure login using sessions and cookies in PHP

Community
  • 1
  • 1
Michel Feldheim
  • 17,625
  • 5
  • 60
  • 77
  • interesting. what is the drawback of setting a long ini.session.gc-maxlifetime? also, when using your token suggestion, my understanding is that I will check to see if there's an active session, if not, check for the token cookie, then match this token against a table of token/username combinations (the token being an arbitrary value like `md5(uniqid('', true));` as suggested by your linked question) whereby to repopulate the session data. Is my understanding correct? – jela Jan 23 '13 at 16:55
  • yeah exactly. The reason why you shouldn't rely on the session alone is that it only creates temporary files. A session is not designed to be active over days and months. You'll create a session file for each session, which can easily explode your server if you got enough traffic. On an ext filesystems already 10,000 files in one directory significantly increase the directory lookup for random access – Michel Feldheim Jan 23 '13 at 17:40