When the user uses my symfony application, then after a couple of minutes the user is automatically logged out, while he is working with the application. To prevent that I changed in
config/packages/framework.yaml
framework:
session:
cookie_lifetime: 86400
gc_maxlifetime: 1800
This means the cookie lifetime is set to 24 hours. So I expect the user will only be logged out when he closes the browser. But in reality he is still automatically logged out after half in hour or so. What other options can I try?
Did you try to unset gc_maxlifetime ? It seem that PHP clear the session after this time. Moreover it's 30 minutes lifetime like your logged out problem.
framework:
session:
cookie_lifetime: 86400
You should definitively don't set gc_probability to null otherwise PHP won't ever clean your "dead" session and your server will be lack of disk space after a time.
Also it can be worth it to have a look to your php.ini configuration values because PHP will take them if they aren't specifid in Symfony configuration.
In other words Symfony override your PHP configuration if you specify somes configurations (there is a list of them )
Whenever a user connect to the application after a very short period of time (like 2 or 3 minutes) he gets logged out from the application.
I thought it's the session's lifetime that being very short so I have increased it in the config.yml file like this:
framework:
session:
cookie_lifetime: 7200
But still the same problem.
The application works fine on locahost but I face this when it's running remotely!
Is there anything I should be aware of to fix this issue?
Check your session.cookie_lifetime in the php.ini file of your remote server, I'm not sure but it may override the parameters in Symfony.
After you change it, don't forget to restart php so the change is taken into account.
i can't seem to find the solution on how to disable auto logout after inactivity? Id like the sessions to stay alive until the browser window is closed.
Is it just the the session: config in the config files that is causing the logout or is it some FOSUSerBundle config i cannot seem to find??
Have you tried to set the sesion life time like this:
framework:
session:
cookie_lifetime: 60 #60 seconds
gc_maxlifetime: 50 #50 seconds - only needed for testing. Dont use this in a production environment
gc_probability: 1 #only needed for testing. Dont use this in a production environment
gc_divisor: 1 #only needed for testing. Dont use this in a production environment
Complete code: https://reformatcode.com
Assuming I have a running symfony application and it encounters an exception with following configuration:
framework:
profiler:
lifetime: 604800
only_exceptions: true
Then there should be a dump with profiling information.
But what happen next?
Just copy the file to your own local profiler data folder and start the profiler?
What are the best practices to handle and debug exceptions occuring on the production system?
I think enabling profiler even with only_exceptions: true should have performance impact, because to display something on exception is should be collected first in any way.
If you want to see the profiler data from another host, you can export and import it locally
For me more correct way is to just log events or email exception with stacktrace to admin via kernel exception listeners. Within listener you can access any info you need to send or log, i.e. request stack, logged in user info etc
I my application I do not want the same user name login at the same time,so I have and idea but I am not sure if it is correct.
1) When a user login,update the status(the "isOnLine" column in the user table in db) and save its login time in the session ,something like:
Inside the login method:
DateTime ltime=Datetime.now();
Dbservice.executeSql(update User set(isOnLine,lastLoginTime) value("1",ltime));
Session["logintime"]=ltime;
When another user try to login,check the table to see if the status of this user is logined or not.if yes,set the "isOnline" to "0",then he can login now.
2)In each protected page's Page_Onload() method,check if the login time in the session is equal to the time in db:
string logtime=Dbservice.executeSelect("select lastLoginTime from user where xxxxx").Rows[0]["lastLoginTime"];
if(!Session["logintime"]==logtime){
//this user should offline now,redirect it to the login page
}
I wonder if my way is right or not?
Also,I have to write the check logic in each protected page's Page_onLoad method,so there are so many repeat codes,any ideas to avoid this?
Since all the page in our site is protected!.
Thanks.
UPDATE:
It is not allowed two user online at the same time,but it is allowed the later user with the correct pasword can force the former user offline. For example:
user1 login with "username=bill" and
"password=000",then he is online now.
then user2 try to login with
"username=bill" and
"password=123",since his password is
not valid,so his request is denied.
user3 try to login with
"username=bill" and
"password=000",since his password is
valid,so he have the choice to make
the user1 offline.
In this case,when the later user login sucessfully,but the session of the former user is also exist,so I have to check if it is online or not according the "logintime" in the session.
If you are not going to use web farm (or web garden) scenarios then you may use in memory structure to keep track of logged in users. For example, a static global variable of dictionary type (accessed in thread-safe way).
For general purpose robust solution, you need to keep this information in database (as illustrated by you). I haven't understood the purpose of checking against logged in time against session. For correct solution,
You need a database table that will track user's session. Important field will be last accessed time and active/inactive state.
At the time of login, if active session for same user exists in db then user cannot be logged in
A job to mark session inactive after specific time-out. This time-out has to be slightly larger (say x minutes) than web server session time-out.
Periodic refresh from application code to reset the last accessed value in db so that job will not mark session inactive.
Because db time-out = web server time-out + x, you can club the refreshes for x minutes, reducing your database trips. For example, say x = 3 minutes then all requests within 3 minutes will not modify last accessed time in database (there by reducing database trips). You can track last database update time in session state and in each request check against this value to see of database needs to be updated or not (i.e. current time > last database update + x then update last accessed value in database).
Third step (job) is optional because you may modify your check in #2 to see if login attempt is after n minutes (where n > session timeout) of last accessed time.
For the logic to check if user is already online, I may want to put it in the Global.asax Application_AcquireRequestState event since all pages is protected.