Reasons for limited login duration?
https://drupal.stackexchange.com/questions/247714
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
On a site I am working on, I get logged out almost daily. I assume there is a limit on the login duration.
I already set session.gc_maxlifetime to a very high value, using ini_set() in settings.php. This setting is visible in /devel/phpinfo.
Is there anything else that limits the login duration?
EDIT: The original problem occured on a Drupal 7 site. But I imagine that the same problem and solution would apply in Drupal 8. Maybe someone wants to confirm this in the comments.
Solution
TLDR
Look for session.gc_maxlifetime and session.cookie_lifetime.
Inspect your session cookies with browser developer tools
To debug this, one can use browser developer tools to inspect cookie expire date.
The cookie that is relevant for login has a key = "SESS...".
An "Expire" of "Session" means that the cookie expires when the browser is closed. Most of the time this is not what you want!
You can open other Drupal sites (e.g. drupal.org) and compare the cookies. It can also be interesting to compare with other Drupal sites installed on the same server (e.g. your localhost), and with different browsers. This can give you clues whether this is a problem with your global server config or with your specific site.
Check current PHP config in Drupal
Open admin/reports/status/php for current phpinfo.
Look for session.cookie_lifetime and session.gc_maxlifetime.
A value of session.cookie_lifetime === 0 causes the Expire === Session for the session cookie. This means that closing the browser causes a logout. Otherwise, the number specifies seconds of login duration.
See http://php.net/manual/en/session.security.ini.php for more information.
Inspect your code and server config
- ini_set() statements in your Drupal's sites/*/settings.php
- Your .htaccess file.
- Your server settings, e.g. in /etc/apache2/apache2.conf, or /etc/apache2/sites-enabled/... grep is your friend.
Also look for modules that modify login duration, such as https://www.drupal.org/project/autologout or https://www.drupal.org/project/autologout.
Fix.
Decide on suitable values for session.gc_maxlifetime and session.cookie_lifetime, and use one of the places mentioned above to set these values.
For the project I am working on, I decided to set both values to 1209600 === two weeks.
(2 * 7 * 24 * 60 * 60 seconds === 1209600 seconds)
About the values
For more information on these values, see
- https://blogs.oracle.com/oswald/php:-sessiongcmaxlifetime-vs-sessioncookielifetime (note: the article says 60 = 1h, which afaik is wrong. 60 would be 60 seconds = one minute. For one hour it would have to be 60 * 60 = 3600.
- http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
- https://stackoverflow.com/questions/5511794/the-question-between-session-gc-maxlifetime-and-session-cookie-lifetime
From the information I found, and my understanding of it:
- session.gc_maxlifetime is a server-side limit, but session.cookie_lifetime is a client-side limit.
- Even when session.gc_maxlifetime has run out, there is a chance for the session to stay alive for a bit longer, because the garbage collection only happens every once in a while (depending on session.gc_probability and session.gc_divisor).
- A browser or other client could ignore or override the cookie lifetime, and keep the session alive longer than intended. I assume the expire date is also stored on server side, so I assume this won't help. See https://superuser.com/questions/442218/automatically-override-cookie-expiration-on-chrome where this is being discussed.
