PHP Sessions users being logged out

I'm having t开发者_JAVA技巧rouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings?

According to phpinfo(), the session configuration values are:

session.auto_start = Off
session.bug_compat_42 = On
session.bug_compat_warn = On
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_domain = no value
session.cookie_httponly = Off
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_secure = Off
session.entropy_file = no value
session.entropy_length = 0
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.gc_probability = 1
session.hash_bits_per_character = 4
session.hash_function = 0
session.name = PHPSESSID
session.referer_check = no value
session.save_handler = files
session.save_path = /shared/sessions
session.serialize_handler = php
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

Is there anything obviously wrong with the above settings which could be causing users to be regularly logged out? session.gc_maxlifetime looks a bit low, but 1440 seconds is still 24 minutes and users are being logged out more regularly than that. We don't check the user's IP as part of the session handling, although the office has a static IP address anyway.

This is on a Debian Lenny server, PHP 5.2.6 and Apache 2.2.9.

Cranking up session.gc_maxlifetime to 3600 seems (after monitoring for a week or two) to have fixed the problem. I'm still not sure that was the true cause, as users were being logged out after 2-3 minutes, but it is worth trying for anyone who comes across a similar problem.

Logging every login/logout function call so that you can pair them off and spot any mismatches (e.g. lots of logins from one user without any logout calls) is also very useful. :)

Seems that everything ok - session should expire after 1440 seconds. Is there a possibility that session_destroy() is called at one of the pages user is visiting? Or maybe $_SESSION array is altered and user gets logged because of that?

Also, did you reproduce the problem yourself? Users usually have a habit of making thing big. 24 minutes may seem to often for them :)

Are you using any AJAX calls on that website?

If so, AJAX calls are known to not update session cookie (at least from my experience with the CodeIgniter framework, which also uses cookies to create and transfer sessions), so people get logged-out even though they shouldn't.

It might also be some setting in their browser - manual cookies expiration time, addons or something simmilar.