Problem with sessions removing themselves

[eluser]Maglok[/eluser]
Greetings,

We use CI sessions a lot in our applications. Several of our applications have a 'bug'. If you do not do anything for a while, after logging in, if you click anything your session is gone and the application redirects to the login page.

We have this in several applications, but I will quote two ways of how we handle the sessions. We have looked all over the place and can't seem to find why our session is removed.

Here we go, one traditional config:

Code:

$config['sess_cookie_name']  = 'taakstelling_dev';
$config['sess_expiration']  = 0;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'sessions';
$config['sess_match_ip']  = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 60;

Another one is where we do not autoload the sessionlibrary, only load it in the part of the application we need to login and then set the database to true:

Code:

$config['sess_cookie_name']  = 'studyspot';
$config['sess_expiration']  = 72000;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = FALSE;
$config['sess_table_name']  = 'ci_sessions';
$config['sess_match_ip']  = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;

I can show you any specific code, but there is nothing that jumps out at us.

Bottom line: Why do we keep losing our sessions?

EDIT: I just realised here is some info, we set the session var 'logged_in' or 'loggedin', depending on what application we are talking about.

[eluser]srpurdy[/eluser]
make sure php is setup correctly would be the first thing to check.

One thing you can do is setup session and upload directory for the specific website in the php.ini.

Something like.
session.save_path=/home/myuser/sessions
upload_tmp_dir=/home/myuser/uploads

make sure both those folders are chmod 711 (assuming your running php under fast-cgi or suphp) otherwise you would likely need 777 permissions (which sucks) (if you need 777 permissions and you don't have root access to the server id suggest switching hosting, as that means the server is running under mod_php without mod_ruid2 and is likely very insecure. If you do have root access than switch to fast-cgi or suPHP.

Only reason I mention this is the only times I've ever had problems with sessions is if the server is either mis-configured or php is mis-configured.

See if that makes any difference first.

Most hosting uses the /tmp directory for sessions, Which is typically set to 777 because it's owned by root. So it's more secure to make your own folders and have them not world readable or write-able. So this should be done anyway, even if you don't have session problems.

[eluser]InsiteFX[/eluser]
Also check your server's date and time and make sure they are correct!

[eluser]Maglok[/eluser]
Hey there, thanks for the replies.

We are running a ISS server (not my choice!)

The thing is the server (and the same PHP config) also runs a lot of basic CMSs (drupal, wordpress, cmsmadesimple) and a slew of other PHP applications. I double checked, but it doesn't seem to be the PHP details.

I also checked the date and time again and they are correct.

It is really quite mysterious.

[eluser]InsiteFX[/eluser]
I think I did read something here in the forums were someone else was having the same problem and they had to use a wierd expire_timeout to fix it. Not sure where it is at but you could search for it.

[eluser]Maglok[/eluser]
Hmm a weird expire_timeout, I shall check it out.

EDIT: Darn, no hits on the search.