On Thursday 20 July 2006 09:09, Jeffrey wrote: > We have a site which requires users log in. Once they do so a session is > created (session_start), some data is saved as session data, > particularly data which identifies the user, their privileges, etc. If > the session ends, breaks, etc. The user must log in again. > > There are also forms on the site. When a user submits a form, data, both > posted and session, is saved to a MySQL database. > > If a session breaks when a user submits data via the form, the result is > that the user must log in again, the data is lost and the user unhappy. > This happens rarely - but when it does, it can upset the user who has > put effort into completing the form. > > Is there a simple yet secure way of preventing this problem - for > example passing the session id with the form and resurrecting the > session if it has broken? > > Thanks, > > Jeff
To my knowledge, this particular behavior is by design. After the time limit for a session has been reached, then the garbage collection will usually clean it up. The only way to not break a session is to never clean up the session files, or set the timeout to a day or so. I wouldn't suggest sending the PHPSESSID via a form. That leads to people being able to hijack sessions.... <from file='php.ini'> ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. session.gc_maxlifetime = 1440 </from> HTH -- Ray Hauge Programmer/Systems Administrator American Student Loan Services www.americanstudentloan.com 1.800.575.1099 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
