2

I'm having some troubles with the session timeout in a PHP application, I suspect the timeout is given by code but I prefer checking the infrastructure first. The application I'm running is pure PHP 5.6 on Apache behind a classic LB in AWS. Devs told me that they don't manipulate the session cookie in the code so I checked my apache2/php.ini file. This is the one:

[Session]
session.save_handler = files

session.use_strict_mode = 0

session.use_cookies = 1

session.cookie_secure = On

session.use_only_cookies = 1

session.name = PHPSESSID

session.auto_start = 0

session.cookie_lifetime = 0

session.cookie_path = /

session.cookie_domain =

session.cookie_httponly = 1

session.serialize_handler = php

session.gc_probability = 0

session.gc_divisor = 1000

session.gc_maxlifetime = 2400

session.referer_check =

session.cache_limiter = nocache

session.cache_expire = 180

session.use_trans_sid = 0

session.hash_function = 0

session.hash_bits_per_character = 5

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

This is the main [PHP] section just in case:

[PHP]
engine = On

short_open_tag = On

asp_tags = Off

precision = 14

output_buffering = 4096

zlib.output_compression = Off

implicit_flush = Off

unserialize_callback_func =

serialize_precision = 17

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,

disable_classes =

zend.enable_gc = On

expose_php = Off

max_execution_time = 30

max_input_time = 60

memory_limit = 128M

error_reporting = E_ALL

display_errors = On

display_startup_errors = Off

log_errors = On

log_errors_max_len = 1024

ignore_repeated_errors = Off

ignore_repeated_source = Off

report_memleaks = On

track_errors = Off

html_errors = On

variables_order = "GPCS"

request_order = "GP"

register_argc_argv = Off


auto_globals_jit = On

post_max_size = 800M

auto_prepend_file =

auto_append_file =

default_mimetype = "text/html"

default_charset = "UTF-8"


doc_root =

user_dir =

enable_dl = Off

file_uploads = On

upload_max_filesize = 750M

max_file_uploads = 20

allow_url_fopen = On

allow_url_include = Off

default_socket_timeout = 60

As far as I'm concerned there is absolutely nothing in the infrastructure which may impose a timeout. Am I right?

I've checked also the cookies on my browser and I'm receiving these parameters:

AWSELB PHPSESSID

Both cookies have this in Expires / Max Age --> 1969-12-31T23:59:59.000Z

Do I have to check something else? Any clues?

Thanks in advance..

nikolaigauss
  • 53
  • 1
  • 10

2 Answers2

0

Gotcha! Apparently there is a cron.d file named php, which essentially is a dash script (/bin/sh) that executes every 30 minutes and clean the php sessions, this script evaluates both apache2 and cli configs so, by modifying both values on GC max lifetime that did the trick.

nikolaigauss
  • 53
  • 1
  • 10
0

To handle session properly, take a look: http://php.net/manual/en/session.configuration.php

There you'll find these variables:

  1. session.gc_probability
  2. session.gc_divisor
  3. session.gc_maxlifetime
Sukhjinder Singh
  • 1,944
  • 2
  • 8
  • 17