Cake session unexpectedly ends

I have an issue that seems to occur randomly.

From time to time, the session will abruptly end, forcing the user to log in again. This has the really deleterious side effect of the user losing data entered into a form.

This is not a timeout issue. Timeout is set to 0 for infinite sessions as long as the browser hasn’t been quit. It sometimes happens immediately after login in even.

It previously only really happened on my development server, often just after saving a file and refreshing my browser to check changes. But today, users of my production sever are complaining that it’s happening to many of them, on any page, and without any pattern. Sometimes the page works, sometimes they get booted.

I suspected something might be up with the cache so I deleted all the cache files in tmp, but shortly after doing that, it happened to me too. Tonight, when the users are all off the system, I plan to restart the server and pray this fixes the issue, whatever it may be. My other suspect is that it somehow has something to do with demand from the server, which is probably about double the normal today, although my VPS’s panel shows that memory usage has not exceeded about 25% allocation in the past three days (with MySQL server usage hitting about 63%).

I know this kind of thing also used to happen with 1.x and 2.x and I just ignored it since it was fairly rare. But I’ve never seen it happen to frequently in one day to so many different users. So it’s a definite problem, and definitely somehow related to something that must have changed somewhere between yesterday and today.

I did just do a code refresh on production from the development server. However, none of the code changes had anything to do with the config files or anything. They were all just controller and view changes.

Has anyone experienced this and have an idea of what the issue is and how to fix it?

See session config in docs says

CakePHP’s defaults session.cookie_secure to true, when your application is on an SSL protocol. If your application serves from both SSL and non-SSL protocols, then you might have problems with sessions being lost. If you need access to the session on both SSL and non-SSL domains you will want to disable this:

Configure::write(‘Session’, [
‘defaults’ => ‘php’,
‘ini’ => [
‘session.cookie_secure’ => false
]
]);

1 Like

where did you read that 0 is infinite?
you are probably using default ‘php’ session handler and timeout translates to
cake session handler i dont see there special setting for 0 or in http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

so you probably set it 0 and why it still keeps user logged even if you set it to 0? cause of how php handles garbage collection - https://tideways.io/profiler/blog/php-session-garbage-collection-the-unknown-performance-bottleneck

1 Like

Maybe it was foolish of me, but I assumed Cake’s timeout parameter to simply be a reflection of:

session.cookie_lifetime integer
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means “until the browser is closed.” Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().

https://book.cakephp.org/3.0/en/development/sessions.html#session-configuration

The cookie timeout is controlled by the session.cookie_lifetime ini value

its a separate setting

1 Like

My recollection is that previous versions of cake defaulted cookie lifetime to whatever you had timeout set to.

So let’s cut to the chase: how do you create an infinite session then?

you cant, but you can set it to very high number like 6 months or a year,

EDIT:
or just change it to some other handler that just doesnt delete it

I suspect it’s related to this [http://stackoverflow.com/a/3555570].

When you let PHP handle session storage, garbage collection can be a little brutal. If the sessions are getting saved to the same area, across multiple PHP applications, then one garbage collect can result in all sessions getting cleared, whether they are ready for it or not.

I’ve usually worked around this by using the database to store session information, however, you could also use Memcached, if available.

If PHP sessions are not sharing the same area, and you still want to use PHP managed file storage of session information, consider increasing the gc_divisor [http://php.net/manual/en/session.configuration.php#ini.session.gc-probability].

1 Like