php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48063 Spontaneously disappearing, cookie-based sessions
Submitted: 2009-04-23 16:51 UTC Modified: 2009-04-25 10:31 UTC
From: myselfasunder at gmail dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.9 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: myselfasunder at gmail dot com
New email:
PHP Version: OS:

 

 [2009-04-23 16:51 UTC] myselfasunder at gmail dot com 
Description:
------------
I have set the following:

session_name('GOLDENCOLLECTION');
session_set_cookie_params(86400 * 3);
ini_set('session.use_only_cookies', '1');
ini_set('session.gc_maxlifetime', 86400 * 3);


I can load the same page many times successfully. However, if I wait a while, around twenty minutes, the session's members are no longer available.

This is the first time I've used cookies to carry the SID (instead of putting them in the URL).

I have administrative control of the system.

Reproduce code:
---------------
session_start();


Expected result:
----------------
The session should be started and all preexisting members should be available. They -does- happen, but until only around twenty or thirty minutes have elapsed, and then they'll be gone.

Actual result:
--------------
They'll disappear without me doing anything.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-23 17:33 UTC] jani@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2009-04-23 19:06 UTC] myselfasunder at gmail dot com 
<?php

session_name('COOKIE');
session_set_cookie_params(86400 * 3);
ini_set('session.use_only_cookies', '1');
ini_set('session.gc_maxlifetime', 86400 * 3);

session_start();

if(isset($_SESSION['aa']))
	print("Session already exists.<br>");

else
	print("Session DOES NOT exist.<br>");

$_SESSION['aa'] = true;
 [2009-04-23 21:02 UTC] scottmac@php.net 
You need to set it in the php.ini, if any other script uses sessions and doesn't set it to be the same value it will delete the sessions.
 [2009-04-23 21:24 UTC] myselfasunder at gmail dot com 
Even if this is the only script that executes on the system (a front-controller in the only application)?

How about the fact that my session-name is 'COOKIE' in this test-script... Wouldn't only everything that uses a session-name of COOKIE interfere with each other, in this case?
 [2009-04-23 21:59 UTC] scottmac@php.net 
It's not that smart, it just looks through the session directory and kills anything that looks like a session file based on the last time the file was read and the currently lifetime value.

If there are zero other scripts on the system then it should be fine, but I suspect there is one somewhere you are missing. Can you add this to the php.ini file and see if you can reproduce it?

We could look to adding the session lifetime to the file but that would break backwards compatibility and you could accidentally set a session to 10 years from now and it would never get removed.
 [2009-04-24 00:05 UTC] myselfasunder at gmail dot com 
This is just a project, at work, that I've been working on, and this is just all from the perspective of my local system... so, it's very unlikely that any other sessionized web-apps are running without me being able to think of them.

I don't exactly know the format of the session file, but since it deals with serialized information and a predictable data-size, you can presumably put the lifetime information at the end of the file without interfering with backward compatibility..?
 [2009-04-24 21:20 UTC] myselfasunder at gmail dot com 
I've removed the session name setting and the cookie-parameters call:

ini_set('session.use_only_cookies', '1');
ini_set('session.gc_maxlifetime', 86400 * 3);

session_start();

if(isset($_SESSION['aa']))
	print("Session already exists.<br>");

else
	print("Session DOES NOT exist.<br>");

$_SESSION['aa'] = true;


However, even though the cookie lifetime is 0, the session still disappears. Thoughts/suggestions?

Is this most likely a me-problem, or the extension?
 [2009-04-25 10:31 UTC] derick@php.net 
There might be a cronjob removing sessions... Debian based systems do that.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 11:01:32 2025 UTC