Security Enforcer Timeout Question

brad · August 16, 2019, 6:17pm

If I understand correctly the security enforcer (in PHP) sets the session.gc_maxlifetime to some value. I know the default time can be set in the php,ini file. Unfortunately, on shared hosting plans you don’t have access to change that.

My question is what sort of things refresh that session? Is it just when you load a new page or refresh the current page? Or is there other interactions that keep the session alive? Perhaps there is some code you can add to change that timer?

I tried googling the subject but came up with no real helpful info.

Hyperbytes · August 16, 2019, 6:46pm

I think basically anything that causes a server interaction would refresh the session lifetime.
So perhaps a simple server action which basically does nothing (perhaps just a set value) called from the action scheduler

brad · August 16, 2019, 8:11pm

Testing that theory now. Hopefully that works. Default timeout is 22 minutes. Sometimes when we are dealing with clients it takes us longer than that to fill out a form.

max_gb · August 16, 2019, 8:15pm

Do you know which shared hosting provider will not let you edit the php.ini file? Do you have access to cPanel?

brad · August 16, 2019, 8:17pm

There is some setting in the ini file that can be changed but the maxtime isn’t one of them.

max_gb · August 16, 2019, 8:18pm

Some shared hosting providers will let you upload your own php.ini which overrides the original. Have you tried this?

brad · August 16, 2019, 8:19pm

The cPanel has a tool for it but unfortunately it doesn’t allow to change this value.

max_gb · August 16, 2019, 8:23pm

Would you be against using PHP code to extend the lifetime of the session cookie?

brad · August 16, 2019, 8:24pm

I wouldn’t be against that at all. I just don’t know how to go about it.

max_gb · August 16, 2019, 8:30pm

I have yet to try this in Wappler but have used this in the past for a similar situation. The code below should set the upper bound on the session duration

ini_set('session.gc_maxlifetime', 3600);

// should remember the session ID for 1 hour
session_set_cookie_params(3600);

session_start(); // should be good to go :)

brad · August 16, 2019, 8:32pm

Just wrap that in php tags?

max_gb · August 16, 2019, 8:33pm

Yes, but this may not work with all clients. Do you have a form or something on a page that you are trying to extend the session for?

brad · August 16, 2019, 8:35pm

Not a specific form. For example when one of our job coaches is meeting with a client they could have the client profile page open for an hour or so …

I will give your code a shott. Worth a try. All staff use Chrome browser.

brad · August 16, 2019, 8:36pm

Well, that didn’t work.

brad · August 16, 2019, 8:38pm

For some reason that code block prevents the page from loading.

max_gb · August 16, 2019, 8:40pm

Strange, mine is still working. I’ll PM you with some things to try out.

brad · August 16, 2019, 9:33pm

Apparently it can be extended in the .htaccess file with one line of code.

php_value session.gc_maxlifetime 3600

I’d still like to know what triggers the time reset though.

George · August 17, 2019, 7:33am

Maybe @patrick can advise and implement this as additional server connect global setting.

Hyperbytes · August 17, 2019, 1:11pm

As sessions are basically just cookies stored on the server it may be possible to manipulate its lifespan with something like this

<?php session_start([ 'cookie_lifetime' => 3600, ]); ?>

brad · August 17, 2019, 3:09pm

That would be a great global setting to be able to change. That one line in the.htaccess file seems to work.

I set it for two hours to test it and came back almost two hours later and was still logged in.