PHP sessions expiring too soon

Preventing Session Expired Errors

Session expired errors can be frustrating, especially when you are in the middle of
an important task. Fortunately, there are steps you can take to prevent these errors
from occurring in the first place. By following these best practices, you can ensure
that your sessions remain active and your data stays secure.

What causes PHP sessions to expire too soon?

Below are some of the reasons why the sessions may seem to expire too soon:
 Session Timeout Configuration: By default, PHP sessions are set to expire
after 1440 seconds (24 mins) of inactivity. This duration can be changed in
the php.ini, .htaccess, or PHP files. If this value is set too low, the sessions
will expire too soon before the users are done with their activities.
 Inactivity of Users: If users do not actively participate in the session for a
timeframe longer than the session timeout duration, that can also lead to
session expiration before they have finished their activity.
 Server Load: If the server is under heavy load or has too many active
sessions, it may not be able to keep all the sessions active, leading to some
expiring too soon.
 Expired Cookies: Though the user information in PHP sessions is stored on
the server, the session ID is stored in a cookie on the user's computer, so that
the server can identify the user in subsequent requests. If the browser is
configured to delete cookies when it is closed or after a certain period of time,
the session will expire prematurely.
 Network Interruptions: Another reason why PHP sessions can expire too
soon is due to network interruptions. If the connection between the client and
the server is lost or interrupted, the session can be lost, leading to expiration.
 Shared Session Directory: Session files on the server are cleaned up by the
garbage collector based on the value in the session.gc_maxlifetime directive.
 If different websites have different values of this directive but share the same
directory for storing the session data, then the garbage collector uses the
minimum value to clean the data. Since by default PHP stores all session files
in the same directory, other PHP processes running on the same server can
set a shorter expiration time and cause their session data to be removed
together with yours.

How to fix PHP sessions expiring too soon

Below are several ways you can fix this issue.

Increasing duration in session timeout settings

You can increase the session timeout settings via the php.ini file or directly in PHP
files.Below is how you can increase the session timeout to 1 hour from the default 24
minutes by adding these lines at the very beginning of all PHP files that use
sessions.
<?php

ini_set('session.gc_maxlifetime', 3600);

session_set_cookie_params(3600);

session_start();

?>

Copy
If the pages are many, you can just create a file, add these lines and then add it at
the top of the files using the include() function. This will enable easy editing if you
want to change the session duration.

Alternatively, you can adjust the session timeout in the php.ini file as below.

session.gc_maxlifetime = 3600

Copy
Reduce the frequency of garbage collection
Every time a new session is started, there's a chance that garbage collection will
happen. When garbage collection happens, it expires/trashes any session files that
haven't been accessed in more than the session.gc_maxlifetime.
You can reduce the probability of garbage collection happening on every session
initialization by configuring
the session.gc_probability and session.gc_divisor directives. The default value for
session.gc_probability is 1, while that of session.gc_maxlifetime is 100.
The probability is calculated using gc_probability/gc_divisor, e.g. 1/100 means there
is a 1% chance that the garbage collection process starts on each request.
You can check and change these values in the php.ini file like in the example below
to have a low probability.
session.gc_probability = 1

session.gc_divisor = 100

Copy

Setting a longer cookie lifetime

To prevent premature expiration of sessions due to cookies, set the cookie expiration
time to a longer period. This period should be greater than, or at least equal to your
session.gc_maxlifetime directive. You can set the cookie expiration time to one week
as follows:

<?php

ini_set('session.cookie_lifetime', 604800); // 1 Week

session_start();

?>

Copy
Setting session.cookie_lifetime value to 0 will keep the session active until the
browser is closed.

Setting a custom session directory

To prevent other sites/scripts running on the same machine as yours from setting a
shorter session expiration time, you need to set your own session directory.
Create a new folder in your user home directory (outside of your webroot) that PHP
has read/write access to. Then set the session.save_path directive to this new
directory.
For instance, if your site resides in the "/home/username/public_html" directory in the
cPanel file manager, you can create a folder like "/home/username/sessions" and
ensure it has (or set) proper permissions (ie 755).
Make sure you set this path along with the session.gc_maxlifetime with each and
every request before calling the session_start() function.

Then have these lines at the top of your PHP scripts

<?php

ini_set('session.save_path', '/home/username/sessions');

ini_set('session.gc_maxlifetime', 3600);

session_start();

?>

Copy
Alternatively, you can set this in your php.ini file. In cPanel, specify the full path via
the MultiPHP INI Editor or directly in the php.ini file in the File Manager.
session.save_path = "/home/username/sessions"

session.gc_maxlifetime = 3600

Copy
Remember to replace "username" in the path with your actual username in the file
manager.

Security Measures
One of the main reasons for session expired errors is due to security measures put
in place by websites and applications. These measures are designed to protect your
data from unauthorized access, but they can also cause sessions to expire
prematurely. To prevent this from happening, make sure that your security settings
are up-to-date and that you are using a strong password.
Ring-fencing
Ring-fencing is a technique used to isolate certain parts of an application or website.
This can help prevent session expired errors by ensuring that each section of the
application has its own session. By doing this, you can prevent one session from
affecting another, which can help reduce the risk of data loss or corruption.

Transact Actions
When you are performing actions within an application or website, it is important to
make sure that each action is properly transacted. This means that each action
should be treated as a separate transaction, with its own session and set of data. By
doing this, you can reduce the risk of data loss or corruption, and ensure that your
sessions remain active.

Regular Updates
Finally, it is important to keep your applications and websites up-to-date. Regular
updates can help prevent session expired errors by fixing bugs and improving
performance. By keeping your software up-to-date, you can ensure that your
sessions remain active and your data stays secure.

Conclusion

PHP sessions essential in web development and expiring too soon can be frustrating
and inconvenient for users. we have covered several ways in which you can fix this
issue.