13

based on the following question/answer CodeIgniter session class not working in Chrome

I had the problem where people are unable to login to my website from another country which is far from the US server. After searching online I've stumbled upon a suggestion which describes how the the problem is based on the difference between the server's timezone and the user's timezone. So, by extending the session_expiration I've managed to get around the problem and people are able to log in successfully.

My questions is whether the sess_time_to_update creates a new timestamp and it will logout the user because the new timestamp is in the wrong timezone? Do I have to make the new sess_time_to_update 17+ hours so that it covers the broadest range of timezones as explained in the question that I've linked. Is there some other way of storing the session at the user's browser based on their localtime (without asking them to choose timezones in the profiles and other sorts of user unfriendly schemes). I would like to have a 2h default session expiration time + the 800sec. update time. I'm not using the database to store the session and I would rather not use it.

Community
  • 1
  • 1
Ando
  • 1,802
  • 4
  • 25
  • 47

1 Answers1

14

The sess_time_to_update setting is how often the session details (such as last activity) are updated. The default is every 5 minutes (300 seconds) and a new session ID will be generated. This would reset the expiration date based on the sess_expiration setting.

I would suggest keeping the sess_time_to_update at the default (or lower) as that would keep the user session alive longer since the session expiration would keep getting reset. The only setting that may need to remain high would be sess_expiration, that is unless you can determine the users timezone.

There are a couple of ways you could try to determine the users timezone. One would be Javascript (Example: Client Side Timezone Offsetting) or you could try using PHP's GEOIP Methods.

justanotherprogrammer
  • 662
  • 9
  • 18
  • So does that mean that session_time_to_update only updates the ID and the expiration date and not the timestamp? Also I'm interested to know why the session is not generated per the user's browser time or local time of some sort, rather than server time. – Ando Dec 21 '12 at 05:52
  • The expiration date is determined based on the sess_expiration setting and when the last user activity occurred (timestamp). The sess_time_to_update updates the last activity timestamp and regenerates the session id, and thus automatically updates the session expiration time as well (last activity + sess_expiration). The session can't be generated with the user's time because CI (and PHP) have no way of determining that information since that is browser side, and the code runs server side. – justanotherprogrammer Dec 21 '12 at 16:41
  • Hm... Sorry, but why do you suggest to keep `sess_time_to_update` low? I realy don't want user to get new session ID just "because". – Yevgen Sep 17 '13 at 14:07
  • 2
    As mentioned in the previous comment, it does more than just generate a new session ID. It also updates the last activity timestamp which more accurately keeps sessions alive. If you set `sess_time_to_update` high, you risk having a user session be destroyed even though they may be actively doing something. CI needs to be told to update on a regular basis so a session stays alive. How frequently that should be will depend on your application. If you have a session length of 3 hours, under 5 minutes is probably overkill, but if your session is set for 15 minutes, a smaller timeframe is best – justanotherprogrammer Sep 20 '13 at 15:28
  • So - I look in my 'sess_save_path' folder and I find over 1000 ci_sesson files - is this necessary for a site that has maybe 3 people logging in every day? –  May 29 '19 at 23:27
  • No, I wouldn't consider that normal. I'm used to using a database-driven session, but I imagine it is the same in your case - the session management is handled by PHP's garbage collection. How frequently garbage collection is run is based on a couple settings in php.ini, session_gc_probability and session_gc_divisor. If probability is set to 0, garbage will never be collected, and your number of sessions will continue to grow. – justanotherprogrammer May 31 '19 at 13:30