SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Understanding gc_maxlifetime and session cookie

    I have an application that ideally should allow the user to log in and leave open until they either log out or close the browser. (I'm curious as to how facebook and others actually do this.) I understand how to set the timeout value for the gc_maxlifetime in the php.ini file and have done so. It's my understanding that when this timeout value is reached, the session variables will be wiped out. I'm currently using sessions and can live with the max timeout for now.

    In my application after the time value has been reached and the user tries to use one of the features, the application appears to hang up because the session variables referred to are gone. According to the error.log, my $_SESSION['loggedIn'] variable is undefined. That makes sense and it would appear that I need to code to redirect the user to the login page. But when you refresh the window, the application fires back up and functions normally thereafter without having to log back in. And that's my confusion. How is this possible if the session variables are gone? I confirm that the PHPSESSID cookie still exists, but if the session variables are undefined...

    Anyway, I'm at a loss. I've been reading up on the session cookie as well as gc_maxlifetime in both the forum and from outside sources. Before I implement a solution that, though not facebook-like yet, will get the task off my ToDo list, I'd like to understand what's going on here. If the user really has to log back in after the gc_maxlifetime count occurs, I can code for that, but I don't want them to be able to refresh the browser and keep going.

    Thoughts, suggestions or direction on where to go for this info would be greatly appreciated.

  2. #2
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's the condensed version of what I'm trying to relate above:

    A user logs into my application. After the session times out on the server, the application no longer works. The session variables are undefined. This has to do with gc_maxlifetime. I understand all of this and there is no problem here.

    Then the user refreshes the browser and the application begins working again. All the session variables are set without having to log in again. This has to do with the session cookie on the user's browser. I do not understand what's going on here.

  3. #3
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,080
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    The value for gc_maxlifetime does not mean "after this many seconds the session will be invalid and destroyed", but rather

    Quote Originally Posted by php manual
    session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
    -- http://www.php.net/manual/en/session...gc-maxlifetime (emphasis is mine)

    So every time PHP starts processing a request there is a chance it will invalidate and destroy current sessions older than gc_maxlifetime. By default this chance is 1%

    As for your question how facebook and others keep people logged in, they usually set an extra cookie which identifies the person logged in, and if they see there is no user logged in they check if that cookie exists and if so try logging the user in using that cookie. So that cookie is kind of like the username and password of the user (without actually storing the username and password as that would be a HUGE security risk).
    This is the only way (at least that I know of) to keep a user logged in when he closes and re-opens his browser. For more info on this search for "php persist login" in your favorite search engine.

    To avoid getting out while the browser is open there is an alternative option where you just send a simple Ajax request to the server at a set interval (say every minute) that prolongs the lifetime of the session. That way the session will not expire regardless of how long the user is idle.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  4. #4
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've begun looking into your suggestions. Thank you. And thanks for the clarification on what's actually happening with the garbage collector.

    What still confuses me is that after the session variables have been cleaned up by the garbage collector (and I'm able to confirm this in the error log) and I'm no longer able to access the features of the application, if -- with the application still frozen up -- I click the refresh button of the browser window, the page refreshes and the application becomes functional once again.

    I must be missing something in my understanding because to me the session variables appear to be getting repopulated with values (login and password because each page requires this confirmation) but I didn't log in again. I just hit the refresh button. Thoughts on that?

  5. #5
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,080
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Are you using any framework? If you are, maybe it uses the cookies I described in my previous post?
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  6. #6
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No framework. Just me and TextMate...completely SitePoint (Yank) indoctrinated. And the only cookie is the session cookie.

  7. #7
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,080
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    That is very weird indeed I don't know how that could happen
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  8. #8
    SitePoint Enthusiast
    Join Date
    Jun 2010
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, you've given me some good info. Thanks. I just hope I'm not leaving out a key piece of the puzzle in trying to explain what's occurring. I'm only now starting to delve into understanding the server setting and their implications. Will keep at it and hopefully come up with something to explain all of this.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •