Hi Team,
We autoload session library and make good use of the cross page storage mechanism. (file based).
My config is as follows:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'MyAppName';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = '/var/www/html/saved_sessions';
$config['sess_match_ip'] = false;
$config['sess_time_to_update'] = 3600;
$config['sess_regenerate_destroy'] = false;
and my /etc/php/5.6/apache2/php.ini
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
I have a few problems which may be my misunderstanding!
1) We are using these sessions files currently to detect if a user already has a session open (ie we store a "logged_in" var in the session data). Unfortunately the logic detects any old regenerated session, that is left on the file system. It appears the old sessions are never being garbage collected and deleted? Not sure why
2) We currently use a cookie to store the session_id. However it appears to be a session_id from our domain name rather than the subdomain we are doing all our testing on. Again I'm not sure whether this is a good or bad thing.
I know sessions are quite sensitive and have read many articles giving advice.
So, I would like to know a) are we using sessions wisely/correctly? and b) is there a better way to limit a user to a single logged_in session on our website - in brief what are the best practices I should follow?
Thanks, Paul
