session timeout suggestions wanted

Re: session timeout suggestions wanted

>I have a form where users logged in using sessions can edit articles in[color=blue]
>a WYSIWYG editor. Some of them take their time and don't like to save
>their work very often and occassionally the sessions expire and their
>work goes poof. (I've suggested editing off-line and simply copy+paste
> but they prefer the editor.)
>
>After a lot of searching I've found the main culprit is
>session.gc_max lifetime and I can set it longet like...
>
>ini_set('sessi on.gc_maxlifeti me', 7200); // 2 hour inactive session
>timeout[/color]

Two hours isn't a long expiration time. Two DECADES is a long
expiration time. Of course, you need to consider security issues
and what the threat is. Two hours inactive session timeout is way
too long for nuclear launch codes and probably for credit card
numbers. Two decades may be fine for logging into a chat room.
[color=blue]
>Are there other timeouts I should worry about with Apache/Linux?[/color]

Apache doesn't store sessions or session cookies (it does pass them
through on HTTP requests, but it doesn't care how old they are).
PHP stores sessions and browsers store session cookies.
[color=blue]
>(Caches, etc..?) My other php.ini settings are...[/color]
[color=blue]
>session.cache_ expire 180 -> 3 hours shouldn't be a problem
>session.cookie _lifetime 0 -> this is don't expire while browser open
>right?[/color]
[color=blue]
>Now a few of my Google searches came up with a scenario for timeouts
>where the timezone of server and client have to be considered. i.e. If
>server is ahead of client by 1 hour, is the session timeout reduced by 1
>hour for that client. Can this be true??[/color]

It shouldn't be true but it might be anyway. The expires time in
a Set-Cookie header in the response is supposed to be in *GMT*.
This should be enough to not have timezones be an issue, but it
isn't. You can still have problems if (a) the client's (or server's)
clock is set incorrectly, or (b) the client's (or server's) idea
of what time zone it is in is incorrect. Having both (a) and (b)
as problems with offsetting errors (e.g. user sets the wrong timezone
but the clock shows the correct local time, so he'll swear up and
down that his clock is set correctly) will get GMT off by some
number of hours.
[color=blue]
>Also are there any other problems with a php session lasting 2 hours?
>Small site, not a lot of users with these priviledges or accessing the
>editor.[/color]

If you accumulate a lot of session files in whatever directory
they are stored in, it might slow down searches for the files.
This is more likely to be a problem with a heavy-traffic site
and a long expire time (e.g. months, years, decades).

Gordon L. Burditt

Re: session timeout suggestions wanted

I had the same problem... what I did was to create a JS timer on the
page.
The timer has a 20 minute countdown, when reaching close to the 20
minute barrier, the timer alerts the user about a auto-save, then
processes the page and returns to it...

My clients at first complained about it, but now they are for ever
greatful... since sometimes they leave the machine for coffee or God
knows what...

Re: session timeout suggestions wanted

Bugz and Gordon,

Thanks for the replies, they were both much appreciated!

Craig