Jump to content

CubeCart admin session auto-logging out after inactivity


bsandall

Recommended Posts

First noticed on 6.1.10 and still happens on 6.1.12.

Short periods of inactivity (20-30 minutes) cause me to automatically be logged out of the admin control panel.

Note that this appears to only affect the live store (tested in both Chrome and FireFox). My locally hosted test site does not exhibit this behavior, which leads me to suspect it may not be CubeCart causing this issue.

Is there perhaps a server setting that would be causing this to happen?

Link to comment
Share on other sites

its caused by sessions.gc_maxliftime, and has been the bane of my life for getting on 2 years, until Al and I found it.

session.gc_maxlifetime

This value (default 1440 seconds (20 minutes)) defines how long an unused PHP session will be kept alive. For example: A user logs in, browses through your application or web site, for hours, for days. No problem. As long as the time between his clicks never exceed 1440 seconds.

 

 

Edited by keat
  • Like 1
Link to comment
Share on other sites

Thanks, Keat, that has lead me to what I believe is the solution.

Turns out that on shared hosting, the site with the shortest session.gc_maxlifetime variable ends up cleaning out the entire sessions directory because there is no way for it to tell which session file belongs to which site. See this StackOverflow answer.

I can only assume that a month or two ago, a new site was hosted with the default session lifetime and started cleaning up everyone's session files.

By setting a custom session save path, I should be able to avoid this problem. I guess I'll know in 20 minutes! ;)

Link to comment
Share on other sites

I had noticed something in a recent version, but had not looked into it at the time.

The file global.inc.php-dist suggests that the session file repository can be specified. If it is specified, it will be used.

This implementation is not complete. But if you use (the equivalent of) CC_INCLUDES_DIR.'/extra, then CubeCart can manage its own session files.

Edited by bsmither
Link to comment
Share on other sites

Oddly enough, my store is already set up to use the /extra folder, at least according to phpinfo.

And yet, until I changed the setting via cpanel, my sessions were getting deleted after 20 minutes.

Note that my cpanel setting is different than that in my CubeCart config, and always has been. The original was the default /tmp, to which I simply appended a new directory e.g. /tmp/new_but_unique_ish

When I view files on the server, there are session files stored in both the CubeCart-specified directory and the /tmp directory (but not the new one, which I didn't actually create a directory for).

Those in CC's directory are current, those in /tmp are from prior to me changing the directory in cPanel.

Also of note is that the ones in CC's directory do not appear to be getting garbage collected as there are significantly more from today than any day still in /tmp.

Thinking on this, it seems that cPanel's save_path counts as the path being specified as far as CubeCart is concerned, so CC's was not being used and I was stuck with the default. Viewing the files on my server, though, shows that the session save folder is definitely not shared with others - /tmp is in the same server directory as my /public_html folder.

So... now I really have no idea what's going on. :P

Edited by bsandall
Link to comment
Share on other sites

When logging out (typically), Session->destroy() is called. In this function, among other things, if CubeCart has determined it should manage the sessions, expired session files are deleted. This is outside of (or in addition to) any PHP garbage collection efforts. And CubeCart considers an expired session file as being older (filemtime) than the timeout.

And that's the key: CubeCart must determine if it should manage the session files: Session->_manage_session_files. This is initially false.

It then gets set to true in Session->_start() only if:

CubeCart's configuration does not specify a path, or it doesn't exist, and
The actual current PHP session save path is not writable, and
CC_INCLUDES_DIR.'/extra' is writable.

If all of that is true, CubeCart uses CC_INCLUDES_DIR.'/extra' as the argument to PHP's session_save_path() function.

Link to comment
Share on other sites

What I found is, it doesn't matter what settings you put in any php files, they are all over ridden by the server default of 20 minutes.

Although, that 20 minute figure is then influenced by the garbage clean up, which may run later.

On my server, this equated to about 40 minutes.

 

Al did some coding work, that would copy this session data and dump it somewhere for safe keeping, although I recall him saying that even this wasn't ideal, as you would need a certain amount of user rights over the server, which most hosted plans don't offer. I don't recall the specifics, maybe speak to Al.

 

As I have my own server, and it only hosts a few cubecarts, it was easier for me to chnage the server default, than it was to start modifying files etc.

Link to comment
Share on other sites

I'm not sure how the session cleanup is supposed to work, but it doesn't appear to be working.

After setting the session save_path manually in cPanel, and making only that one change, sessions are getting stored in CubeCart's includes/extra directory, which they weren't before, even though that is not the path I specified.

This directory is now full of sessions starting from 10/23. I'll check tomorrow to see if those get deleted - perhaps it's on a rolling 1-week basis.

Link to comment
Share on other sites

CubeCart will use the /extra/ directory if all is true as I mentioned earlier. Then it becomes CubeCart's responsibility to manage this collection of session files. CubeCart will delete files older than the session timeout value (seven days).

But because CubeCart changes what location to use for session files only when it determines that doing so is necessary, and this change is only effective for that specific running of the CubeCart script, PHP (or anything else) may not be able to affect any of these files with its own garbage collection routines. (Or maybe PHP can as I really don't fully understand when PHP does its garbage collection.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...