Session handling

An administrator can change the following settings in 'Session Handling' in the Site administration.


The Engine needs to store the session data in some storage. By default either file or database session storage is selected, this option allows admin to change it.

1. Timeout


If users don't load a new page during the amount of time set here, the application will end their session and log them out.


Be sure this time frame is long enough to cover the longest task your users may work on. If a user is logged out while they are working on a page, their work they have done may be lost.


Your Session Has Timed Out

2. Session storage

Change the Session Temporary Files Directory

2.1. File session

This storage used by default in new installation.


The path for session values to be saved. The default is /tmp, however it is important to change this to a custom folder for the application – especially if you are in a shared hosting enviorment. The garbage collector does not discriminate, and it will delete ANY session data that is older than the set limit, not just ones that correspond to your application.


constants.php:

 define('CACHE_SESSION_DIR',		'/tmp');

most common custom folder locations

CACHE_SESSION_DIR Notes
default /tmp Unix and Linux
application _cache/session custom folder for the application
XAMPP
Linux /opt/lampp/temp
Windows /xampp/tmp

Notes:

  • File based sessions require file system that supports file locking.
  • Warning: If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.

ToDo

  1. define('CACHE_SESSION_DIR', '/tmp'); is defined in constant.php, and currently not set via the installer
    • we may use ini_get('session.save_path') as indicator where the actual directory is, but we do not use the PHP build in session -> write value, its a nuisance that the user currently has to do this on his own

2.2. Database session

Set session_store either in the config table or via the Admin panel in the System section.


 'session_store' => 2,

Custom Session Storage: This option defines where the the session data is stored. By default either file or database session storage is selected.
1 – File (default)
2 – Database


Notes:

  • DB sessions are not compatible with MyISAM database engine.
  • If you are using MariaDB/MySQL make sure that \'max_allowed_packet\' in my.cnf (or my.ini) is at least 4M.
  • The performance is relatively low, it is not recommended for large sites.