• Status: Solved
  • Priority: High
  • Security: Private
  • Views: 69
  • Last Modified:

Php session expiring

Hi everybody.
I have a problem with PHP sessions.
I have developed a backend for a mobile app developed by another team of devs. The app send requests to my php scripts which collects data and send them to the mobile app.
The problem is that I have used PHP sessions and this way, if the mobile app doesn't send requests for 30 minutes, the session expires and the php scripts return bad or null values.

I have now to manage this issue and I'm wondering what is the best way to do it. Can I set the php.ini in order to make sessions never expire? Or do I have to tell developers to use Ajax to prevent session expiring? Or there is some better way?

Thanks for any suggestion :)
Marco Gasi
Marco Gasi
1 Solution
Jan LouwerensSoftware EngineerCommented:
If the requests coming in have that much time separating them, you might want to consider storing the data in a database, rather than in the session.
Dave BaldwinFixer of ProblemsCommented:
You need to rewrite your code.  PHP session 'timers' are intentionally unreliable.  They are NOT intended to be used as timers but as the minimum time before starting garbage collection.  If you are the only one on that server, you can change the session timeout.  If you are Not the only one, then you will find out that the lowest timeout is the one that is used and that changing yours will have no effect.

By the way, if sessions never expire, that means you will collect the files containing $_SESSION[] data until all the disk space is used up.
Marco GasiFreelancerAuthor Commented:
Thank you both, guys.
Okay I understand your points and I realize I didn't explain my problem in the right way.
Let's me clarify. When the user open the app and does the login, a session is stored on the server and the user id is saved in a session variable. This is the value I repeatedly check in various scripts when the app sends a request. If the app doesn't send any request for 30 minuts the user id value expires and the next request fails.

I could arrange things to make the app save the user id in a local database (or/and in local Storage) and then send tthe value with any request and just drop the PHP session. But there are some operations which involve several scripts in sequence and there it would better to use sessions.

Or maybe there is some other way to manage things I didn't think about...

What's your thought?
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Dave BaldwinFixer of ProblemsCommented:
Actually, we understand perfectly because we've answered and 'solved' this question many times already.  First, PHP sessions expire because of lack of activity.  Standard time-out is 24 minutes from the Last access.  If you have "several scripts in sequence" they will keep the session alive because the time-out is reset with every access.  If you access pages in a session every few minutes, you can keep a session open indefinitely, for days, weeks, even years and decades.

Sessions are only for short term access.  I always use a database for the important info.  That way (with appropriate coding), the user can come back days later and use it again.
Marco GasiFreelancerAuthor Commented:
@Dave: I don't understand the relation between your comment and my question. But if you have solved the same question so many times, maybebyou can just post a link to some of those threads...
Dave BaldwinFixer of ProblemsCommented:
Since you can't control how long between accesses, use a database instead of sessions.  I leave it to you to look up the many questions here about PHP sessions.  Almost all of the problems arise from a misunderstanding of what sessions are good for.
Marco GasiFreelancerAuthor Commented:
But I'm not using session to store data, just the logged user id: it looks like a standard use of the session to me...
Chris StanyonCommented:
Hey Marco,

Sessions are designed to be just that - a session. A session will expire after 24 minutes of inactivity, or when the user closes down their browser. If your store the logged in user ID in a session, then that data will expire with the session. The idea of storing the data in the DB, is so that data is not lost when the user closes the browser, or is inactive.

Instead of storing the user ID in a session, you store it in a cookie. A cookie allows you to set when it will expire, so you can choose a lifespan of say 1 year. Now when a user visits your site, the cookie will be sent to your server. This cookie will contain the User ID, and you can retrieve the data associated with that User ID from the DB. Even if they come back in 6 months, the cookie will be sent, the data retrieved and they will still be logged in.

A cookie is stored on the client machine, unlike a session which is stored on the server, so take that into account. For example, don't just store the user id as a simple int (1,2,3 etc.). Use something that is more secure, such as a hash. Plenty of guides online explaining best-practices for that.
Marco GasiFreelancerAuthor Commented:
Hi Chris. Yes, sure. I should have thought by myself! But I didn't :) Thank you so much.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now