Hi,
I have pages that use sessions to store user details. At the top of each page I have place this code in an attempt to stop any sessions being timed out:

<?php
ini_set('session.cookie_lifetime', '86400');
session_start();
header("Cache-control: private");
?>

however, it appears that every so often sessions are being timed out, even though the user is only on the page for a short time, no where near the period I have set the session to time out. Why would this happen, is just that sessions time out for no reason every so often, or could it be a server thing or what?
thanks a lot

How do you know that the sessions are timing out?

Sessions are often cookie dependent (though can be passed via url too) so anything that could stop cookie being sent by client could lose a session, e.g. cookies disabled, cookies deleted, possibly a proxy that requests a copy of the page but does not include cookies.

If you are basing your assumption about sessions timing out on some kind of errors in your log then you may want to check that it is a genuine user (not some form of bot for example that may not pass cookies) and if so whether they have cookies enabled.

Whatever the cases is you should handle session failure gracefully, even if it is just by dumping them out to the login (if it is an authentication issue) or by restarting the session and any associated process from the beginning.

Hi,
I know the sessions are timed out because I have a check on a final page that tests if the sessions variables are set, if they are not the user is informed of this and has to enter their info again.It doesnt happen very often though

arent there 2 kinds of sessions? Normal sessions and sessions cookies? are you saying that all sessions require the use of cookies?
thanks

The web server needs some way to keep track of the session that belongs to a user. This can be done by ensuring that every link and every form has a variable included (you may have seen it occasionally called something like PHPSESSIONID) but it is far more common for it to be done with cookies as they are the 'standard' way of maintaining state on web sites.

You did not really answer my question - are the users telling you that they are being sent back to the beginning to re-enter the information or are you seeing this behaviour through a log or error report of some kind? If the users are telling you it is happening then that eliminates a lot of possible explanations and so makes your job easier (in theory).

Yes a few user are being sent back to renter info. I have had a couple of people email me telling me that the session had timed out. At the moment, I am unsure whether these users have eventually got through , or keep failing, am in process of getting this info.

a while ago, I noticed that info kept in sessions was being lost in email that I got, so I implemented a test on the end age. So although I no longer get emails with missing info, I am not entirely sure how many users are losing their sessions, I will have to implement something where I get an email if the users loose their sessions. Either way, I know only a few are.

How come cookies are used as a standard way of maintaining stated, I thought some people turn them of, and as such dont sessions have more support?

It is a limitation of the way the web (well, HTTP really I guess) works, you have to remember that this infrastructure was originally intended for document storage, organisation and retrieval not as a platform for application development. As a result some of the things we have to deal with are far from ideal and one might even say 'cobbled together'. But that is where the fun is :)

Yes some people do turn off cookies and as a result they are unable to log in to many sites. I guess that is a price they are willing to pay, I dont see it myself :D

right, so getting back to the session question,
I am using standard sessions, so do these use cookies or not? I am assuming that they are not.
So from your last lessage, your saying that sessions are not 100% reliable?
thanks a lot

I would bet that your session are using cookies, but it depends on your server config I believe.

Whichever way the sessions are maintained you are correct that it is not safe to assume that a user will have session variables set at any given point, since the stateless nature of the web precludes this. Even if you set session on one page then have a single link to a second page where you check those session variables, any of the following would cause them not to be set when the second page is called:

- A user who has configured their browser in a certain way
- Client software that is not a regular browser (e.g. bots)
- A user going directly to the second page without passing through the first page
- a user who bookmarks the second page and then comes back weeks later when all session info has long since been deleted.
- a hacker

Which of these you feel is likely or unlikely for your site and how you want to handle them is up to you, but certainly you would not want anything that could corrupt your data to be dependent on them.

HTH,

Dai