How to keep extending session life when user is active?

Question

Let\'s say there\'s a site/system with a logged in member area, and users are rarely, but very inconveniently logged out while working with the site/system.

It\'s doubt

Answer 1

Since sessions and authentication is already handled via one super controller in your code, it should be easy to at least rule out session destruction.

Typically only the login page creates a session, so at this point you can (and should) add a known value inside, such as the session id.

The other pages (including your heartbeat) resume an existing session, so at this point you look for the above value; if it's missing, you can do a few more checks:

• was a session cookie passed? if not, browser / cookie issue.
• does the session cookie correspond with session_id()? if not, session file was lost due to garbage collection.
• does the known value exist in the session? if not, session was truncated or someone is trying to do session adoption attack.
• does the known value correspond to the session cookie? if not, the session was established via different means than cookie; you could check session.use_only_cookies setting.

The above set of checks should point you in the right direction.