Session handling

An administrator can change the following settings in 'Session Handling' in the Site administration.


The Engine needs to store the session data in some storage. By default either file or database session storage is selected, this option allows admin to change it.

1. Timeout


If users don't load a new page during the amount of time set here, the application will end their session and log them out.


Be sure this time frame is long enough to cover the longest task your users may work on. If a user is logged out while they are working on a page, their work they have done may be lost.


Your Session Has Timed Out

2. Session storage

Change the Session Temporary Files Directory

2.1. File session

This storage used by default in new installation.


The path for session values to be saved. The default is /tmp, however it is important to change this to a custom folder for the application – especially if you are in a shared hosting enviorment. The garbage collector does not discriminate, and it will delete ANY session data that is older than the set limit, not just ones that correspond to your application.


constants.php:

const CACHE_SESSION_DIR				= '/tmp');	

most common custom folder locations

CACHE_SESSION_DIR Notes
Unix and Linux
default /tmp
/var/tmp
Application
_cache/session custom folder for the application
XAMPP
Linux /opt/lampp/temp
Windows /xampp/tmp e.g. '\\xampp\\tmp'

Notes:

  • File based sessions require file system that supports file locking.
  • Warning: If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.

2.1.1. Inaccessible Session Directory

ToDo: bugs:558 - Inaccessible Session Directory

  1. const CACHE_SESSION_DIR = '/tmp'; is defined in constant.php, and currently not set via the installer
    • we may use ini_get('session.save_path') as indicator where the actual directory is, but we do not use the PHP build in session
      • write value, its a nuisance that the user currently has to do this on his own
      • however it does not work in a Shared Hosting environment
      • it may give you invalid values like 5;/tmp or 2;/var/tmp back

2.2. Database session

Set session_store either in the config table or via the Admin panel in the System section.


 'session_store' => 2,	

Custom Session Storage: This option defines where the the session data is stored. By default either file or database session storage is selected.
1 – File (default)
2 – Database


AP change session store modi
Change the session store modi from File to Database.

Notes:

  • DB sessions are not compatible with MyISAM database engine.
  • If you are using MariaDB/MySQL make sure that 'max_allowed_packet' in my.cnf (or my.ini) is at least 4M.
  • The performance is relatively low, it is not recommended for large sites.