Is it possible for a host to lock a php ini settings?

Question

I'm working on a website which requires the use of sessions. However the default value for the life of a session is 1440 seconds or 24 mins. I have tried to change this using ini_set() making sure to put the ini_set() before the session_start() and then checking it with ini_get(). The ini_get() returns the value I have set but the session still seems to follow the default rules set.

So is it possible for a host to lock out editing of the ini settings?

Answer 1

Short answer: possibly.

It could be that they've disabled use of ini_set via the disable_functions directive in the global php.ini, however that doesn't explain the behavior you're seeing; the documentation isn't clear, but I'd expect it to throw an error if you called a disabled function, nor does it explain why ini_get returns what you've previously set. It's also entirely possible they're running their own patched version of PHP that alters this behavior. Not unheard of, but unlikely.

Things to try:

• setting it with session_set_cookie_params instead (needs to be before session_start)
• double checking that you're setting the correct param (session.cookie_lifetime) and that your ini_set is definitely placed before session_start, or that you don't have another session_start somewhere else

Answer 2

The awser is yes.

The php agent has 3 scopes.

1 System

This one effects all applications. Its the global.ini file. They can also disabling overwrites.

2 Perdir

This is your php.ini file. It only effects your directories. Here can you disable overwrites for the script scope and make overwrites in the system scope when allowed

3 Script

This is the ini_set scope. It can overwrite the perdir & system scope when allowed

So is it possible for a host to lock out editing of the ini settings?

Yes they can disable overwrites in there system scope.