php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74985 Session timeout limited to 1440 seconds!
Submitted: 2017-07-25 06:38 UTC Modified: 2019-03-04 21:04 UTC
From: matthew at slyman dot org Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 7.1.7 OS: CentOS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: matthew at slyman dot org
New email:
PHP Version: OS:

 

 [2017-07-25 06:38 UTC] matthew at slyman dot org 
Description:
------------
With the following session configuration, I get the desired 2 hour sessions in PHP7.0 — but in PHP7.1, sessions seem to be limited to a much shorter time, e.g. 900–1440 seconds, despite my attempt to reconfigure this: PHP7.1 seems to be ignoring my instructions about how long sessions should last for! I realise that session garbage collection has been changed. Is there a bug in PHP, or have I forgotten to configure something in the new system?

Test script:
---------------
\ini_set('session.use_only_cookies',1);
\ini_set('session.use_strict_mode',1);		\ini_set('session.gc_maxlifetime',7200);//2 hour sessions
\ini_set('session.cookie_httponly',1);
\ini_set('session.cookie_secure',1);
\ini_set('session.cookie_lifetime',0);
\ini_set('session.hash_function','sha256');//Does nothing in PHP7.1
\ini_set('session.hash_bits_per_character','4');//Does nothing in PHP7.1
\ini_set('session.sid_length',64);//PHP7.1
\ini_set('session.sid_bits_per_character',4);//PHP7.1
\session_start();


Expected result:
----------------
Sessions should last for 2 hours (7200s).

Actual result:
--------------
Sessions last for ≤1440 seconds before garbage collection occurs, which logs out users before they can complete certain actions, e.g. completing extended psychometric profile questionnaires (large HTML forms).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-12 14:45 UTC] ajf@php.net 
Have you tried changing the INI file directly, rather than at runtime?
 [2017-08-12 15:05 UTC] spam2 at rhsoft dot net 
doing that with ini_set() is flawed by design - you can't expect any useful behavior when some scripts use the ini-settings, some per vhost and others mange with ini_set() because the workers are shared between all the incarnations of settings and so you are playing finally lottery

what do you think happens when the next request handles a different script and hat has a lower value - GC is started and your sessions from other requests are purged too

hence normally it should be prohibited (php_admin_value in the vhost config which no longer allows to change values from scripts) and when you have different settings for vhosts each of them has tu ose it's own exclusive session_save_path

anyways, it's a poor "to work out of the box" default select a radnom wroker which has to handle a request for cleaup a directory with probably many thousand of files and so on serious production machines the session GC of PHP is disabled at all and the cleanup done with cronjobs calling something like "find /var/www/sessiondata -type f -mmin +30 -delete" which under load also makes sure that "session.gc_probability" hits probably a dozen of processes doing concurrent cleanup - set it to 0 and do it proper with a cronjob
 [2019-02-28 19:56 UTC] kontakt at beberlei dot de 
You didn't mention your OS, but i am sure it is related to Debian/Ubuntus session cleanup script. It scans the PHP.ini for the session.gc_lifetime and deletes all files older than that from the session directory. That means you must change this variable in php.ini and not with ini_set to really increase it.
 [2019-02-28 20:11 UTC] beberlei@php.net
-Status: Open +Status: Not a bug
 [2019-02-28 20:11 UTC] beberlei@php.net 
Closing as not a php bug, probably related to distribution sessionclean cronjob script. Please re-open if this is wrong assumption.
 [2019-03-04 21:04 UTC] matthew at slyman dot org
-Operating System: +Operating System: CentOS
 [2019-03-04 21:04 UTC] matthew at slyman dot org 
No Debian/Ubuntu anywhere near this installation. It runs CentOS+cPanel. I will do some more tests in the next 4-6 weeks...
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 21:01:30 2024 UTC