How to keep extending session life when user is active?

Question

Let's say there's a site/system with a logged in member area, and users are rarely, but very inconveniently logged out while working with the site/system.

It's doubtfully session expiring, since the user was not idle for very long. And even if they were idle, I added a periodic AJAX request, a so called heartbeat, which updates the sessions' access time, and modified time. I even added a touch($session_file) every time a user clicks something or a heartbeat is called. I tried regenerating session ID as well. Nothing helped.

And unfortunately, so far, I was not able to reproduce the problem locally, because it happens every so often, when there's more requests. Some php.ini parameters:

session.use_cookies = 1
session.use_only_cookies = 1
session.cookie_lifetime = 0
session.gc_probability = 1
session.gc_divisor = 1500
session.gc_maxlifetime = 10800

Answer 1

Since sessions and authentication is already handled via one super controller in your code, it should be easy to at least rule out session destruction.

Typically only the login page creates a session, so at this point you can (and should) add a known value inside, such as the session id.

The other pages (including your heartbeat) resume an existing session, so at this point you look for the above value; if it's missing, you can do a few more checks:

• was a session cookie passed? if not, browser / cookie issue.
• does the session cookie correspond with session_id()? if not, session file was lost due to garbage collection.
• does the known value exist in the session? if not, session was truncated or someone is trying to do session adoption attack.
• does the known value correspond to the session cookie? if not, the session was established via different means than cookie; you could check session.use_only_cookies setting.

The above set of checks should point you in the right direction.

Answer 2

I presume you are using built in PHP file session storage? There are known race conditions problems with it.

I had similar issues with loosing session id's when there were concurrent requests from same session id. Since file was locked by first request all other concurrent connections were unable to access file and some of them generated new session id. Those situations were also very rare and it took me time to locate the problem. Since then I'm using memcached for session storage and those problems vanished.