PHP sessions on a shared server

[thisisit3]

Some of our clients complained that they get logged out from their web-based applications, even thought they haven't been idle or even logged in for too long, or as long as their web application states.

I looked into this issue and after several hours of testing i came up with this:

PHP, by default, stores session files under /tmp. The function which cleans those files is called Garbage Collection and works by looking at the mtime of those files.

If a PHP application defines a timeout of 5 hours, then those files have a "change" (defined by the probability and divisor) of being cleaned.

So far so good, everything works as expected.

Until, another PHP application from another user defines a timeout of 2 hours. Then, PHP will NOT differentiate between sessions from other users and will delete EVERYONEs sessions, thus the shortest session timeout in the entire shared server will precede all others.

so in order to solve this problem, you have to use different save paths ("session.save_path = ") for each domain you'd like a custom session timeout.

I hope this helps others...

[Gwaihir]

Until, another PHP application from another user defines a timeout of 2 hours. Then, PHP will NOT differentiate between sessions from other users and will delete EVERYONEs sessions, thus the shortest session timeout in the entire shared server will precede all others.

Are you running PHP as CGI, the way JagPC run its own shared servers, or as an Apache module? In CGI, I would expect that such deletion doesn't actually succeed as the PHP processes from other users do not have the necessary rights to delete your session files.

Either way, storing your session data in a folder of your own is IMHO always a good idea .