• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Resolved Cookie/Session TimeOut for client websites

T

TeamWalther-IT

New Pleskian
Hi,

I managed to change the Session-TimeOut in Plesk-Panel successfully. But I am not able to change the Session TimeOut for any of mine client Websites. I tried to add the following parameters to the local php settings of the client website :

session.gc_probability = 1
session.gc_divisor = 1
session.gc_maxlifetime = 21600
session.cookie_lifetime = 21600

The website is running PHP 7.2.14 (FPM). The server is running Debian.

phpinfo() shows the cookie lifetime of 21600, but different content management systems logged off after 10 minutes.

Any suggestions ?

regards Torsten
 
Ok, I managed to get it working for me now.

I changed the default value of 1440 (24 minutes) to 21600 (6 hours) for "session.gc_maxlifetime" in the following php.ini files :
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/php5/cli/php.ini
/etc/php5/fpm/php.ini

On Debian / Ubuntu there is a cronjob that removes all sessions in the standard session save path which are older than the max value of "session.gc_maxlifetime" in all php.ini files... => /etc/cron.d/php5 ... unfortunately, this script only considers the standard php.ini files and ignores the manual added additional parameters in client sites in PHP. The Cronjob runs every 30 minutes and deletes in standard sessions that are older than 24 minutes. After changing from 1440 to 21600, the sessions will now be deleted after 6 hours.

Because of security reason and to reduce the chance of session hijacking, it would be better to left the standard value of 1440 unchanged and modify the "session.save_path" parameter explicit for one client website. If the sessions are stored in a different directory than the standard one, they will not get deleted by that cronjob. You can than add the following directives for example as additional php-parameters to that website :

session.gc_probability = 1
session.gc_divisor = 1
session.gc_maxlifetime = 21600
session.cookie_lifetime = 21600

If you go this option, you have to handle the cleanup of the separate session.save_path by your own, for example with a script like this :
find /path/to/sessions -cmin +24 -type f | xargs rm

regards Torsten
 
You must log in or register to reply here.

Similar threads

P
Resolved The timeout specified has expired: AH01075: Error dispatching request to : - without URL in my logs - Error 502 - since php 8.2.13 - randomly
Replies
12
Views
3K
phildolyon
P
DReffects
Resolved Please help: neither migration nor backup restore is working :(
Replies
5
Views
2K
DReffects
DReffects
M
Question Cookie Lifetime does not work as expected
Replies
4
Views
1K
marekp
M
L
Issue Being logged out of Plesk after nearly every page (error 400)
Replies
2
Views
2K
Himanshu Goyal
H
M
Input Wrong path: "Website on Plesk server is not accessible: 504 Gateway Time-out: The timeout specified has expired: [client 203.0.113.2:54693] AH01075"
Replies
1
Views
2K
IgorG
IgorG
Back
Top