Account $_SESSION's lost when idle - only some sessions

[ejarnutowski]

I'm not a PHP Einstein, but i'm certainly not a stranger and i've never seen this behaviour before.  If you have any suggestions please let me know.  Thanks in advance.

 

I have multiple $_SESSION variables set when a user logs into thier account that never change unless they log out. (id, first_name, last_name, etc.)  I have one additional variable set for logged-in users that keeps track of the last "Account" page they visited (info, settings, main, etc.), so that when they leave their "Account" pages to browse the site and then return to "Account", they will land on the last "Account" page they visited.  The issue is this - When a logged-in user sits idle for a while, the $_SESSION variables that were set when they first logged in are lost.  Only those variables.  Not the "Account" page variable or other misc variables that are created during thier browsing of pages.  I don't have any inactivity or idle functionality that would log them off.  I dont have any code that unsets these variables unless they click "log out".  And if they do click "log out", the "Account" page variable would be unset too.

 

Any ideas? 

 

 

 

 

[PFMaBiSmAd]

Some of the possibilities -

 

1) Your 'log out' code is being executed somehow (a header() redirect that does not have an exit; statement after it...)

 

2) A logic error in your code that is clearing the session variables (such as if($var = '') instead of if($var == '').)

 

3) You have multiple different sessions for any one visitor due to the subdomain and/or path changing in the URLs being browsed to and the session cookie settings are not setup to match all variations of your domain/path.

 

4) Register_globals are on and is causing some of your session variables to be overwritten, either from $_GET parameters on the end of the URL or $_COOKIEs that match certain pages on your site.

 

5) 3-4 more things that did not occur to me while writing this...

 

Your post does not really contain enough information to narrow down the list. #1 and #2 would require seeing your code (including the log out code and how it relates to other code on your page.) #3 would require knowing the exact URL's being browsed to, the session.cookie settings, and if your code would allow more than one session to be created. #4 would require knowing the register_globals setting and what you are putting onto the end of the url and if any cookies are being used as well.