Session expires as user submits a long discussion post


I've had several complaints so far, that users get logged out when submitting a huge discussion post. No way to recover it by clicking the back button, or refreshing the page.

So far i've increased session gc.maxlifetime parameter in PHP, but even if its set to 24 hours, the user will login 23 hours ago, to make a post at the end of the 24th hours.

Advice on how to fix this is welcome.

With Love,
Uddhava dāsa

  • Are you saying that people spend 24 hours creating a post?

  • Dear Kevin,

    Not precisely. 23 hours back, they logged in. Then they continue browsing the site, then at the 23rd hour, they create a discussion topic, and then they submit it after session expired (because they don't have to login again, 23rd hour, plus the time to make the post).
    At least that's the only explanation i have come to, otherwise, how is it that they get logged out?

    With Love,
    Uddhava dāsa

  • the default session time is 24 minutes, so if user was writing post for more than 24 minutes his session expires.

  • Yes, and there is no way to recover the typed in text by clicking back button. Really bad. I increased session time to 24 hours, but still users complain, being logged out without any backup of their message.

    With Love,
    Uddhava dāsa

  • There's something wrong there. gc.maxlifetime is the maximum lifetime of an *inactive* session.

    In other words, your users would need to spend 24 hours on *one page* before they got logged out. If they navigate to another page, the clock should be reset.

    So I suspect that as the other poster pointed out, something on your server is over-riding your gc.maxlifetime setting and it is still using the 24 minute setting.

    You can check that with a phpinfo page in your Elgg root directory.

  • Also, increasing gc.maxlifetime is a real security risk for your members that use public computers (eg. in cybercafes) and then forget to log out.

    In my view, the best option is to educate your users. They should:

    a. use "Remember me" when logging in if they are on a private computer. That keeps them logged-in for a month.

    b. Use "Remember me" on a public computer if they are sure they will remember to log out.

    c. Otherwise, try to complete a blog post in less than 24 minutes.

    The Elgg 1.7 form security tokens may present another issue as I believe users lose all their data if the token has expired. I think that the sticky forms system being developed in SVN may be intended to address that problem.

  • Hello Kevin,

    The system has 24 hour time limit, and although the user is active, while cliking "create discussion" still, the page expires. I believe it must be related to the server, since i'm in a shared environment. If the server happens to be rebooted while the user is writing, then he gets expired message.

    Only actual solution that i found so far, is to tell the users to install a Firefox plugin, that stores all forms text:

    Its good to know that sticky forms will come soon. Thanks for the reply.

    With Love,
    Uddhava dāsa

  • Hello Uddhava,

    The system has 24 hour time limit

    This makes me wonder if your problem has to do with the "session.gc_maxlifetime" setting. Like Kevin said, this is the maximum lifetime for an inactive session. What is "session.cookie_lifetime" set to? When this is set to 24 hours the session will expire after 24 hours, no matter if the user is active or not. Try setting this to 0 if you haven't already. Hope this helps you.

    Good luck.

  • Thanks Loek,

    Yes, i have also cookie expire to 0 hours. I guess its just because of being in a shared server, no way to guarantee stability.

    Thanks for your comments.

    With Love,
    Uddhava dāsa