Open diabolusss opened 1 year ago
alorbach
commented
1 year ago The session timeout is actually something controlled by PHP. You can set it in your php.ini, found this link: https://mazer.dev/en/php/posts/how-to-change-php-session-timeout/
It can actually be set using session-set-cookie-params: https://www.php.net/manual/en/function.session-set-cookie-params.php
Feel free to add it into StartPHPSession() and make it configureable.
diabolusss
commented
1 year ago It can actually be set using session-set-cookie-params: https://www.php.net/manual/en/function.session-set-cookie-params.php
Feel free to add it into StartPHPSession() and make it configureable.
It doesn't seem to be working well without editing php.ini. To check my use case, i've configured 'session.gc_maxlifetime' in php.ini to 5 minute timeout and loganalyzer ini_set(session.gc_maxlifetime) to a week. While i'm staring at loganalyzer page, everything is good, but after i power on my laptop after a sleep i'm forced to log in again. Using my smartphone, i need to re-login even more often – every time i close the browser, it doesn't happen with other sites with authorization.
On the contrary, when i configure 'session.gc_maxlifetime' in php.ini to a week, i don't need to re login. To be precise, native (apache?) login form still appears on mobile browser and after submit is loaded previous loganalyzer page.
However, the strangest thing is that in both cases PHPSESSID cookie exists with correct max-age/expire time.
alorbach
commented
1 year ago This does not seem to be a php session timeout but rather http authentication, so you may look into tcp keep alive settings of your webserver to extend that timeout.
diabolusss
commented
1 year ago The problem wasn't in the native apache login form. Anyway, i've disabled it now and will re-check if the issue persists.
diabolusss
commented
1 year ago It doesn't seem to be working well without editing php.ini. To check my use case, i've configured 'session.gc_maxlifetime' in php.ini to 5 minute timeout and loganalyzer ini_set(session.gc_maxlifetime) to a week. While i'm staring at loganalyzer page, everything is good, but after i power on my laptop after a sleep i'm forced to log in again. Using my smartphone, i need to re-login even more often – every time i close the browser, it doesn't happen with other sites with authorization.
On the contrary, when i configure 'session.gc_maxlifetime' in php.ini to a week, i don't need to re login.
I've re-checked and it's still true - ini_set doesn't help.
function StartPHPSession()
{
global $RUNMODE;
if ( $RUNMODE == RUNMODE_WEBSERVER )
{
//Set the session timeout for a 10 days
$timeout = 864000;
//Set the maxlifetime of the session
@ini_set( "session.gc_maxlifetime", $timeout );
//Set the cookie lifetime of the session
@ini_set( "session.cookie_lifetime", $timeout );
// This will start the session
@session_start();
if ( !isset($_SESSION['SESSION_STARTED']) )
$_SESSION['SESSION_STARTED'] = "true";
}
}
UPD20240214 For the first time, I caught this error on admin pages while a user (with admin rights) was logged in. For some reason (i assume to check how it will behave on different paths), i've restricted /admin with /etc/apache2/.htpasswd. So, this time, to bypass the HTTP basic authorization form and access the /admin pages, I had to enter the login data from .htpasswd.
...
<Directory "/var/www/html/admin">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
</VirtualHost>On the other hand, I haven't caught it again on user pages, so I assume you are right, @alorbach, and the real cause of the problem was the Apache native login form.
Hello, Could you, please, guide me how to change default session expiration time? Here is mentioned that default user session timeout is 30 minutes (is it true?). I want to extend its value, but can't find a place where to configure it.
OS: ubuntu (armbian) LogAnalyzer with mySql.