Jump to content



Photo
* * * * * 1 votes

Session Liftime & How to increase your osC session life time? The Facts.

session liftime $sess_life logout

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1   spooks

spooks
  • Members
  • 7,017 posts

Posted 12 March 2012 - 10:49

Many have issues with early session time outs causing loss of updates etc. and have trouble when their changes seem in-effective. So I'm starting this thread to try to clarify the situation.

1st File Based Sessions:

osC uses file based sessions when your config.php file has the line:


define('STORE_SESSIONS', '');


Sessions Folder

Your file based sessions are stored in the sessions directory as serialized text files, the sessions directory will be the server tmp folder by default, but its a bad idea (and security risk) to use that, you should create your own tmp folder, point to it in Admin->Sessions->Session Directory and ensure that folder has the correct permissions (777) osC 2.3 sets this up for you, you must do it yourself in 2.2 and below. A better method is detailed here.


Sessions Liftime

File based sessions have their lifetime set by the php variable session.gc_maxlifetime, however that is not an absolute limit for the life of the session, rather it states that a session file with a fileatime (last access) greater than session.gc_maxlifetime will be removed when garbage collection next runs as defined by gc_probability/gc_divisor, which will be (assuming defaults) approx once every 100 session starts.


Extending Liftime Limit

The default value for session.gc_maxlifetime is 1440 (24 minutes) and as long as you've set your folder as above and your host allows the change, you can increase the session time limit to 1 hour by adding

ini_set('session.gc_maxlifetime',3600);

to admin/includes/application_top.php just before: // Set the level of error reporting.


You can see your current/altered setting for session.gc_maxlifetime by looking for it in Tools->Server Info, you can also check there that Sessions Folder you've set has been applied.



2nd MySQL Based Sessions: (Preferred Option)

osC uses MySQL based sessions when your config.php file has the line:


define('STORE_SESSIONS', 'mysql');


Sessions are stored again as serialized text files within the sessions table of your database with a field 'expiry' containing the timestamp after which the session data can be deleted by the garbage collection function. Again garbage collection runs based on gc_probability and session starts however in osC the only relationship to session.gc_maxlifetime is the if that value is set, $SESS_LIFE is set the same, which is used in turn to set the expiry timestamp.


I am not clear why there needs to be any relationship between session.gc_maxlifetime and the expiry timestamp since the garbage collection function will only delete sessions with an expired timestamp and there appears to be no other use for session.gc_maxlifetime in this instance. Should anyone be able to make a definitive explanation I'd be very interested to hear.



Why modifications often fail to extend session life:

A common modification is to simply change the value of $SESS_LIFE on line 20 of admin/includes/functions/sessions.php, but that will only have any effect if the previous $SESS_LIFE = get_cfg_var('session.gc_maxlifetime') returns 0 or false, which is unlikely, i.e. you will still get the 1440 secs default.

Another common modification is to add ini_set('session.gc_maxlifetime',xxx); to application_top.php as above, this may or may not work, depending on the server, why? because on some get_cfg_var('session.gc_maxlifetime') will return the master value for session.gc_maxlifetime not the local i.e. you will still get the 1440 secs default.

The methods I have used that work:

Modify admin/includes/functions/sessions.php to remove:

if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
$SESS_LIFE = 1440;
}

Replacing with:

$SESS_LIFE = 3600;

Or alternatively replace

if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {

with

if (!$SESS_LIFE = ini_get('session.gc_maxlifetime')) {

and add:

ini_set('session.gc_maxlifetime',3600);
to admin/includes/application_top.php (near the beginning).

The same technique can be used to alter session lifetime on the client side, however I would advise only a small increase over the default. I would also suggest you don't increase admin lifetime much more that one hour.

There is a contribution giving a safer version of my first method. http://www.oscommerc...tributions,5899


Why increasing session lifetime is a security risk:

An exploit exists known as session hijacking, which is when a malicious user obtains or intercepts a session cookie from another, using it to access the active session i.e. using the login session of the original without any login. Only expiring sessions early can circumvent this exploit.

Edited by spooks, 12 March 2012 - 11:03.

Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#2   MrPhil

MrPhil
  • Members
  • 5,381 posts

Posted 12 March 2012 - 14:12

Please note that 777 may not be the correct permissions on your particular server. I would suggest starting out with 755 for folder/directory permissions, and only try 775 (and as a last resort, 777) if that fails to work. Many servers block access to "world writable" (e.g., 777) files and folders, as they're a potential security hazard.

#3   spooks

spooks
  • Members
  • 7,017 posts

Posted 12 March 2012 - 15:13

Good point /smile.png' class='bbc_emoticon' alt=':)' /> , the link I gave recommends 700 once ownership is assigned.
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#4   spooks

spooks
  • Members
  • 7,017 posts

Posted 13 March 2012 - 22:14

For completeness, the 2nd option should be:

Or alternatively replace

if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {

with

if (!$SESS_LIFE = ini_get('session.gc_maxlifetime')) if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {

and add:

ini_set('session.gc_maxlifetime',3600);


to admin/includes/application_top.php (near the beginning).



as ini_get only returns local

Edited by spooks, 13 March 2012 - 22:15.

Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.