session timeout suggestions wanted

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a form where users logged in using sessions can edit articles in  
a WYSIWYG editor.  Some of them take their time and don't like to save  
their work very often and occassionally the sessions expire and their  
work goes poof.  (I've suggested editing off-line and simply copy+paste  
  but they prefer the editor.)

After a lot of searching I've found the main culprit is  
session.gc_maxlifetime and I can set it longet like...

ini_set('session.gc_maxlifetime', 7200); // 2 hour inactive session  

Are there other timeouts I should worry about with Apache/Linux?  
(Caches, etc..?)  My other php.ini settings are...

session.cache_expire    180 -> 3 hours shouldn't be a problem
session.cookie_lifetime    0   -> this is don't expire while browser open  

Now a few of my Google searches came up with a scenario for timeouts  
where the timezone of server and client have to be considered.  i.e. If  
server is ahead of client by 1 hour, is the session timeout reduced by 1  
hour for that client.  Can this be true??

Also are there any other problems with a php session lasting 2 hours?  
Small site, not a lot of users with these priviledges or accessing the  

Thanks for any advice.

Re: session timeout suggestions wanted

Quoted text here. Click to load it

Two hours isn't a long expiration time.  Two DECADES is a long
expiration time.  Of course, you need to consider security issues
and what the threat is.  Two hours inactive session timeout is way
too long for nuclear launch codes and probably for credit card
numbers.  Two decades may be fine for logging into a chat room.

Quoted text here. Click to load it

Apache doesn't store sessions or session cookies (it does pass them
through on HTTP requests, but it doesn't care how old they are).  
PHP stores sessions and browsers store session cookies.  

Quoted text here. Click to load it

It shouldn't be true but it might be anyway.  The expires time in
a Set-Cookie header in the response is supposed to be in *GMT*.
This should be enough to not have timezones be an issue, but it
isn't.  You can still have problems if (a) the client's (or server's)
clock is set incorrectly, or (b) the client's (or server's) idea
of what time zone it is in is incorrect.  Having both (a) and (b)
as problems with offsetting errors (e.g. user sets the wrong timezone
but the clock shows the correct local time, so he'll swear up and
down that his clock is set correctly) will get GMT off by some
number of hours.

Quoted text here. Click to load it

If you accumulate a lot of session files in whatever directory
they are stored in, it might slow down searches for the files.
This is more likely to be a problem with a heavy-traffic site
and a long expire time (e.g. months, years, decades).

                    Gordon L. Burditt

Re: session timeout suggestions wanted

I had the same problem... what I did was to create a JS timer on the
The timer has a 20 minute countdown, when reaching close to the 20
minute barrier, the timer alerts the user about a auto-save, then
processes the page and returns to it...

My clients at first complained about it, but now they are for ever
greatful... since sometimes they leave the machine for coffee or God
knows what...

Re: session timeout suggestions wanted

Bugz and Gordon,

Thanks for the replies, they were both much appreciated!


Site Timeline