2

I'm playing around with a zen-cart, and I'd like to have it so that a customers session doesn't expire after 24 mins, which appears to be the default.

After googling and hoking the zen-cart website it doesn't seem anyone has an answer to this (plenty of answers on how to change the Admin logout session time - I want people using the actual site to have longer sessions). I guess it's probably a security thing, none the less, I've looked into it now and can't figure out the code:

if (IS_ADMIN_FLAG === true) {
    if (!$SESS_LIFE = (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN)) {
      $SESS_LIFE = (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN);
    }
} else {
    if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
      $SESS_LIFE = 1440;
    }
}

I've tried changing the 1440 to 86400 (a day) but that didn't seem to work. I'm not completely sure what the line

if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {

does with that ! and only one = after. I guess this is the problem? Can anyone enlighten me?

crazy sarah
  • 641
  • 4
  • 11
  • 26
  • Make sure you aren't sharing your session directory with other web sites. Otherwise, the site with shortest `gc_maxlifetime` will probably remove *all* session files, even yours. – Álvaro González Nov 15 '12 at 12:56
  • @alvaro thanks, I think it's just easier to change the code for now :) – crazy sarah Nov 15 '12 at 12:59
  • You've misunderstood me. Just changing the setting will be useless if you're on shared hosting and your session files are in a common directory. It's just a matter of checking `phpinfo()` and changing the `session.save_path` configuration directive if necessary. – Álvaro González Nov 15 '12 at 13:06

1 Answers1

0
if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
    $SESS_LIFE = 1440;
}

This gets the value of session.gc_maxlifetime from the runtime-configuration, and sets it as $SESS_LIFE.

If the value of $SESS_LIFE is zero, it executes $SESS_LIFE = 1440;

Change this timeout inside: php.ini or using 

ini_set('session.gc_maxlifetime', 86400);

Or in your .htaccess, you can add the lines:

php_value session.gc_maxlifetime 86400

Reference: get_cfg_var,

Anirudh Ramanathan
  • 43,868
  • 20
  • 121
  • 177
  • Ah ok, so could I just remove the if statement and set the variable $SESS_LIFE = 86400; without using the ini_set? I'm not sure if I'm allowed to change things in ini_set on my live server, surely it could affect other sites then? – crazy sarah Nov 15 '12 at 12:36
  • @crazysarah The `session.gc_maxlifetime` can be set inside a script or via `.htaccess`; there's really no need to change the code. – Ja͢ck Nov 15 '12 at 12:37
  • @crazysarah As Jack said, you could put it in your .htaccess as `php_value session.gc_maxlifetime 86400`. – Anirudh Ramanathan Nov 15 '12 at 12:43
  • but changing the code is ok right? I'm more comfortable with that if there's no real bad downsides – crazy sarah Nov 15 '12 at 12:46
  • @crazysarah It should be ok either way IMHO – Anirudh Ramanathan Nov 15 '12 at 12:53
  • Hopefully you understand the risks you're causing by allowing someone to come along several hours (a day, like you said) later and steal whatever information is sitting in the customer's session, such as personal address information and more. Great way to encourage identity theft for your customers. Just sayin... – Zen Cart Dec 03 '12 at 03:10