2

I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.

After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :

[PHPSESSID] => svikos35bgclmebk2cqraiddt2

But session is empty.

I got this form modx stuff:

MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.

I am using modx revo. It is a bit descriptive question. let me know you need something else. Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance

MrHaze
  • 3,786
  • 3
  • 26
  • 47
Awlad Liton
  • 9,366
  • 2
  • 27
  • 53
  • 2
    RTFM: http://php.net/session_destroy "If a cookie is used to... then the cookie must be deleted". `session_destroy` is mostly the equivalent of `$_SESSSION = array()` and does not destroy anything else other than the contents of the session. – Marc B Jan 21 '14 at 04:23
  • 2
    session only persists till the browser is close. you may have to re-create your session from the cookie. – bansi Jan 21 '14 at 04:26
  • if i need to re-create session then i think session should be empty for every time after closing my browser. but it has all values in session after restarting by browser.it only gone away after next day after login when i open my browser. actually session and cookie automatic handled by modx. as far as i know i just need to set it – Awlad Liton Jan 21 '14 at 04:32
  • @bansi you're wrong. Session may be on server for a week and more. It saved in php session directory (for example) and sometimes servers fails when this dir overflows – BaBL86 Jan 21 '14 at 04:34
  • @BaBL86 Session may be there in the server, but how is the server going to make out which session belongs to which browser, if the browser won't send session details to the server? and standard browsers won't keep the session details after the browser close. – bansi Jan 21 '14 at 04:47
  • @Marc B: can you have a look at updated question? – Awlad Liton Jan 21 '14 at 04:53
  • just because your browser is maintaining the session cookie means nothing to the server - it will garbage collect stale sessions on its own schedule, and that collection couldn't care less what your browser is doing. – Marc B Jan 21 '14 at 04:54
  • how can i make sure that cookie is set correctly? – Awlad Liton Jan 21 '14 at 05:04
  • @Gumbo : can you have a look at this? – Awlad Liton Jan 21 '14 at 05:36

3 Answers3

2

This only happens after a day? Could tmpwatch be deleting session files from the server?

Sean Kimball
  • 4,506
  • 9
  • 42
  • 73
  • yes this is happens after a day. can you explain a little bit more? – Awlad Liton Jan 22 '14 at 03:48
  • 1
    tmpwatch is a command, usually written into a cron script that just deletes all files in the /tmp directory after a set amount of time [usually every 24 hours] http://linux.about.com/library/cmd/blcmdl8_tmpwatch.htm if this is happening you might be able to setup a custom php.ini that uses a different tmp directory. – Sean Kimball Jan 22 '14 at 20:03
  • thanks. actually it was the case. it is deleting session files in server. – Awlad Liton Jan 28 '14 at 11:25
1

session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.

You need to recreate $_SESSION after login (and autologin) if it doesn't exists.

Check this article (in russian, try google translate: PHP GC: unexpected behavior

BaBL86
  • 2,602
  • 1
  • 14
  • 13
  • What do you mean by "correctly"? If you're about secureity, than add md5 or sha hash to your cookie from user_id and pwd with login time, for example (you need to save login time in user profile too, in users table in mysql) and check it. – BaBL86 Jan 21 '14 at 06:57
  • i want to know how to make sure that cookie set for 1209600 – Awlad Liton Jan 21 '14 at 07:03
  • it's not possible. User can clear his cookies or firewall/antivirus. Check this value server-sede (for example, by login_time previously saved. If diff more than 1209600 - destroy cookies). – BaBL86 Jan 21 '14 at 07:12
0

The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.

Lal krishnan S L
  • 1,684
  • 1
  • 16
  • 32
  • is that mean it does not set the cookie for 1209600? if yes then why? – Awlad Liton Jan 21 '14 at 04:44
  • Nop, Just think that. When you are enter into your Gmail account after clear your browser cache and cookie you will automatically log out. Because the session on browser is cleaned. – Lal krishnan S L Jan 21 '14 at 04:51