Session configuration problems

[eluser]LuckyFella73[/eluser]
I have a Flash game that gets all needed values from
my CI application (each click at a Flash button causes
an interaction with my CI php files).

After log-in there a 2 restrictions:

1. after doing nothing (a klick in the Flash game "pings"
a php file) for 30 minutes the session has to be expired

2. after 12 hours playing the session has to
be expired

I tried setting

Code:

$config['sess_expiration'] = 1800;
$config['sess_time_to_update']     = 43200;

When starting the Flash game the session id is send to the
flash game. after each klick the responding php file sends
the actual session id wich is compared with the one that
was set when starting the game. If the session id is not
the same anymore (after expiring) the Flash game gives a message.

Unfortunately I get this message too early.

Any help would be great!

btw: I use CI DB sessions and autoload Sessions, my cookie name has
no underscore and I did set the cookie domain.

[eluser]InsiteFX[/eluser]
Check the time on your server this causes lots of problems

InsiteFX

[eluser]LuckyFella73[/eluser]
Thanks for the suggestion - I checked the server time but there isn't set
a wrong time.

[eluser]WanWizard[/eluser]
What is the definition of "too early"?

What happens if you go to the site with your browser after the flash game is timed out? Did you check the session table to see if anything happened with the session record or the session id?

[eluser]LuckyFella73[/eluser]
With "too early" I meant before 30 minutes of no activity (no php file in action).
I have allready clients looking at the game and they said that sometimes this
timeout-message appears after a few minutes. When I tested the game (doming nothing
for a while and then trying to continue) I got the message after 28 minutes pause.

I'll try to compare the session info in my database in my next test. I just know
that the message only appears if the session id is not the same as when the game
is started.

[eluser]WanWizard[/eluser]
What is the exact time difference between your PC and your server? And between the time on your clients PC and the server?

This is the big issue with sessions. If you say 30 minutes, it means 30 minutes from the time on the server. If your PC's clock is running 5 minutes fast, the cookie will expire in 25 minutes (from your perspective), and not in 30 minutes.

So if your server has 13:15 GMT as local time, it will send a cookie to the client with an expiry set to 13:45 GMT. If at that time your PC's clock says it's 13:30 GMT, the cookie will expire in 15 minutes, not in 30 minutes.

[eluser]LuckyFella73[/eluser]
Thank you for your post! I didn't know that the client time
is involved in that.

I'm pretty new in that session/ expire stuff, so I have one more
question:

I thought that:

Code:

$config['sess_expiration'] = 1800;

means that the session expires when there is no interaction for
1800 seconds. Is this right or does the setting mean that (undependent
of server-calls) the session will expire 1800 seconds after the session
was started? I'm afraid I'm on a completly wrong way ..

[eluser]WanWizard[/eluser]
The way the mechanism works is that a session cookie is sent to the browser containing the session_id. At the next request, this cookie is sent back to the server so the session class can retrieve the correct session.

This cookie has an expiration time, set by the server. The browser evaluates this time, and when it expires, the browser will delete the cookie locally. So at the next page request, no session cookie is sent to the server, causing the server to create a new session record with a new session_id, effectively expiring the previous session.

Every time a page is sent out to the browser, it will contain the session cookie, with an updated expiry timestamp. So it will expire the session after 1800 seconds of no activity, assuming that the time on both server and client are set correctly (as per my previous post).

If you want it to expire a fixed time after it was started, you have to either add a session_create timestamp to the session table (requires extension of the session class, and quite a bit of code), or add the value as a session variable, and check for expiry at every page load. If it expired, terminate the session (by deleting valies, calling sess_destroy(), etc).

[eluser]LuckyFella73[/eluser]
Thank you so much for taking the time to explain all the basics!

In the meantime I found out that in my case the problem was the
flash part. It seems that if the page request to a php file is
comming from a swf file, no cookie is sent to the server (like
you explained what normally happens when requesting a page by a browser)
So there is never an update at the server/ cookie and the session
expires even if a php file was called in the meantime.

I now did it like you suggested before: saving the start time in my
session and compare at every click. It works fine - thanks again!