From time to time, the session will abruptly end, forcing the user to log in again. This has the really deleterious side effect of the user losing data entered into a form.
This is not a timeout issue. Timeout is set to 0 for infinite sessions as long as the browser hasn’t been quit. It sometimes happens immediately after login in even.
It previously only really happened on my development server, often just after saving a file and refreshing my browser to check changes. But today, users of my production sever are complaining that it’s happening to many of them, on any page, and without any pattern. Sometimes the page works, sometimes they get booted.
I suspected something might be up with the cache so I deleted all the cache files in tmp, but shortly after doing that, it happened to me too. Tonight, when the users are all off the system, I plan to restart the server and pray this fixes the issue, whatever it may be. My other suspect is that it somehow has something to do with demand from the server, which is probably about double the normal today, although my VPS’s panel shows that memory usage has not exceeded about 25% allocation in the past three days (with MySQL server usage hitting about 63%).
I know this kind of thing also used to happen with 1.x and 2.x and I just ignored it since it was fairly rare. But I’ve never seen it happen to frequently in one day to so many different users. So it’s a definite problem, and definitely somehow related to something that must have changed somewhere between yesterday and today.
I did just do a code refresh on production from the development server. However, none of the code changes had anything to do with the config files or anything. They were all just controller and view changes.
Has anyone experienced this and have an idea of what the issue is and how to fix it?
CakePHP’s defaults session.cookie_secure to true, when your application is on an SSL protocol. If your application serves from both SSL and non-SSL protocols, then you might have problems with sessions being lost. If you need access to the session on both SSL and non-SSL domains you will want to disable this:
Maybe it was foolish of me, but I assumed Cake’s timeout parameter to simply be a reflection of:
session.cookie_lifetime integer
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means “until the browser is closed.” Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().
When you let PHP handle session storage, garbage collection can be a little brutal. If the sessions are getting saved to the same area, across multiple PHP applications, then one garbage collect can result in all sessions getting cleared, whether they are ready for it or not.
I’ve usually worked around this by using the database to store session information, however, you could also use Memcached, if available.