Session handling
An administrator can change the following settings in 'Session Handling' in the Site administration.
The Engine needs to store the session data in some storage. By default either file or database session storage is selected, this option allows admin to change it.
1. Timeout
If users don't load a new page during the amount of time set here, the application will end their session and log them out.
Be sure this time frame is long enough to cover the longest task your users may work on. If a user is logged out while they are working on a page, their work they have done may be lost.
2. Session storage
Change the Session Temporary Files Directory
2.1. File session
This storage used by default in new installation.
The path for session values to be saved. The default is /tmp
, however it is important to change this to a custom folder for the application – especially if you are in a shared hosting enviorment. The garbage collector does not discriminate, and it will delete ANY session data that is older than the set limit, not just ones that correspond to your application.
constants.php:
const CACHE_SESSION_DIR = '/tmp');
most common custom folder locations
CACHE_SESSION_DIR | Notes | |
---|---|---|
Unix and Linux | ||
default | /tmp | |
/var/tmp | ||
Application | ||
_cache/session | custom folder for the application | |
XAMPP | ||
Linux | /opt/lampp/temp | |
Windows | /xampp/tmp | e.g. '\\xampp\\tmp' |
Notes:
- File based sessions require file system that supports file locking.
- Warning: If you leave this set to a world-readable directory, such as
/tmp
(the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.
2.1.1. Inaccessible Session Directory
ToDo: bugs:558 - Inaccessible Session Directory
-
const CACHE_SESSION_DIR = '/tmp';
is defined in constant.php, and currently not set via the installer- we may use
ini_get('session.save_path')
as indicator where the actual directory is, but we do not use the PHP build in session- write value, its a nuisance that the user currently has to do this on his own
- however it does not work in a Shared Hosting environment
- it may give you invalid values like
5;/tmp
or2;/var/tmp
back
- we may use
2.2. Database session
Set session_store
either in the config table or via the Admin panel in the System section.
'session_store' => 2,
Custom Session Storage: This option defines where the the session data is stored. By default either file or database session storage is selected.
1
– File (default)
2
– Database
Notes:
- DB sessions are not compatible with MyISAM database engine.
- If you are using MariaDB/MySQL make sure that
'max_allowed_packet'
in my.cnf (or my.ini) is at least 4M. - The performance is relatively low, it is not recommended for large sites.