Prolong login time

For my private blog I use logins for all visitors. However, security is not of utmost importance therefore I would like to prolong session times for quite some time. In my optimal scenario it should be linked to the last time somebody has accessed the site (login expires 1 week after last visit).

I tried the following in my config.php (from: Forum):

s::$timeout = 60*24*30; // thirty days of session validity like in the Panel
s::$cookie['lifetime'] = 9999999; // don't let the cookie ever expire

I can see that cookie lifetimes are set accordingly.
Nonetheless I still have to login every few hours…

Any hints?

Maybe the session files on the server get deleted. Reasons for this may be:

  • Server reboot
  • Some process on the server that cleans up temporary files after a few hours

Which hosting provider do you use?

1 Like

Running it on my own “internet facing” raspberry pi, apache2.
Uptime is 17 days. I am not aware of any tmp cleaning. However there do no seem to be any temporary files in /tmp from Apache.


Shouldn’t the cookies (on the client) computer not make sure, that even if a session on the server expires, the client still keeps logged in?


No, a session cookie only contains the session ID, which is worthless if the session data for that ID is deleted on the server. To make the cookie work without needing to store anything on the server, you would need to save the username and password in the cookie (don’t do that as it will be stored in plain text).

What is the PHP option session.save_path set to on your RPi? You can find it on a phpinfo() page.

session.save_path is “/var/lib/php5/sessions”

Which Linux distro are you using on your RPi? I’ve heard that Debian has a cron job that regularly cleans sessions, so that may be the cause here.

FYI: I have a Ubuntu 16.04 server with a standard nginx + php-fpm installation.

On Ubuntu it’s most likely the session.gc_maxlifetime option. Please see this tutorial on increasing this value. However please note that you shouldn’t increase it too much, otherwise you will have a lot of old session files on your server.

1 Like

I’ve changed the value to 1 hour. I just had a user that was logged in and 2 minutes after his login, he was logged out.
Just a random thought: could it be related to me using Cloudflare? Some users will get the same IP (from cloudflare servers) and the other one will be logged out? Not sure if it’s working like this.

No, sessions are based on session tokens/session IDs, which are unique to each visitor/browser, not IP. So that’s very strange.

Ok, makes sense. Since this is probably not related to Kirby, I’ll get help somewhere else.

I tried the suggestions for some days now:
Setting session.gc_maxlifetime to 2,5 millon in php.ini works great. At least for my low traffic site.


1 Like