Session Timeouts

There are three common, different mechanisms that enforce session timeouts.

  1. The fossology timeout.
  2. PHP session timeout - cron
  3. PHP session timeout - garbage collector

Fossology

This is a very long timeout (8 hours starting in fossology v1.3). It is set in ui/plugins/core-auth.php. You don't need to change this unless you want to extend the timeout period to over 8 hours. This is a fallback in case you have disabled the next two mechanisms.

PHP cron

PHP installs a cron job set to run every 30 minutes. This removes sessions (and therefor your fossology login) that haven't been used for 24 minutes.

In the following explanation, I'm using file paths from my debian system. Your OS may put them somewhere else.

In /etc/cron.d/php5 you will find a this command:

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] 
&& find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

Change it to run at an interval that you want in your environment. Here I've commented out the default command and changed it to only run at 7 am.

# purge only at 7 am
* 7    * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] 
&& find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

# Look for and purge old sessions every 30 minutes
#09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] 
&& find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

php configuration file

This is found on my debian system at: /etc/php5/apache2/php.ini

If you looked closely you probably noticed in the cron command that there isn't a mention about the 24 minutes maximum session age. That's because it is buried in the maxlifetime file, which gets its information from the php config file, php.ini. So in php.ini set these variables:

session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 28800

What those mean is that the php garbage collector will run only every 1/1000 times that php is invoked. And when it runs it will delete sessions that haven't been used in 28800 seconds (8 hrs) or more. The default gc_maxlifetime is 1440 seconds (24 minutes). Now that you know what they do, you can set them to what works best in your environment.

Don't forget to reload or restart apache after changing php.ini.