|
|
Posted by Gordon Burditt on 10/17/02 11:27
>I have a form where users logged in using sessions can edit articles in
>a WYSIWYG editor. Some of them take their time and don't like to save
>their work very often and occassionally the sessions expire and their
>work goes poof. (I've suggested editing off-line and simply copy+paste
> but they prefer the editor.)
>
>After a lot of searching I've found the main culprit is
>session.gc_maxlifetime and I can set it longet like...
>
>ini_set('session.gc_maxlifetime', 7200); // 2 hour inactive session
>timeout
Two hours isn't a long expiration time. Two DECADES is a long
expiration time. Of course, you need to consider security issues
and what the threat is. Two hours inactive session timeout is way
too long for nuclear launch codes and probably for credit card
numbers. Two decades may be fine for logging into a chat room.
>Are there other timeouts I should worry about with Apache/Linux?
Apache doesn't store sessions or session cookies (it does pass them
through on HTTP requests, but it doesn't care how old they are).
PHP stores sessions and browsers store session cookies.
>(Caches, etc..?) My other php.ini settings are...
>session.cache_expire 180 -> 3 hours shouldn't be a problem
>session.cookie_lifetime 0 -> this is don't expire while browser open
>right?
>Now a few of my Google searches came up with a scenario for timeouts
>where the timezone of server and client have to be considered. i.e. If
>server is ahead of client by 1 hour, is the session timeout reduced by 1
>hour for that client. Can this be true??
It shouldn't be true but it might be anyway. The expires time in
a Set-Cookie header in the response is supposed to be in *GMT*.
This should be enough to not have timezones be an issue, but it
isn't. You can still have problems if (a) the client's (or server's)
clock is set incorrectly, or (b) the client's (or server's) idea
of what time zone it is in is incorrect. Having both (a) and (b)
as problems with offsetting errors (e.g. user sets the wrong timezone
but the clock shows the correct local time, so he'll swear up and
down that his clock is set correctly) will get GMT off by some
number of hours.
>Also are there any other problems with a php session lasting 2 hours?
>Small site, not a lot of users with these priviledges or accessing the
>editor.
If you accumulate a lot of session files in whatever directory
they are stored in, it might slow down searches for the files.
This is more likely to be a problem with a heavy-traffic site
and a long expire time (e.g. months, years, decades).
Gordon L. Burditt
Navigation:
[Reply to this message]
|