View Full Version : Totally Disable Admin Session Timeouts

11-14-2008, 10:42 AM
Hi Guys,

I'm about at the end of my rope on this one.

I would like to totally disable the timeout function for the admin panel.

Yes, michael_s I have searched through all of the posts. I have changed the code in the sessions.php. I have switched it to 16 hours as per the methods laid out in previous posts in the forums. I have it set to mysql.

Most of the time the timeout length works OK. 16 hours. But there are other times, when it doesn't work at all and the client will be adding a long product description and pricing structures, and it kicks them out losing all of their work. I'm sick of being scolded by frustrated clients because of this.

As a test I want to totally disable the whole timeout function so that it never has the ability to automatically log people out. Only if they do it themselves.

Does the admin section use sessions for anything other than login timeouts?

If nothing else depends on the session, then could I just comment out the following portion of code in admin/application_top.php?

// check to see if php implemented session management functions - if not, include php3/php4 compatible session class
if (!function_exists('session_start')) {
define('PHP_SESSION_NAME', 'osCAdminID');
define('PHP_SESSION_PATH', '/');

include(DIR_WS_CLASSES . 'sessions.php');

// define how the session functions will be used
require(DIR_WS_FUNCTIONS . 'sessions.php');

// set the session name and save path

// set the session cookie parameters
if (function_exists('session_set_cookie_params')) {
session_set_cookie_params(0, DIR_WS_ADMIN);
} elseif (function_exists('ini_set')) {
ini_set('session.cookie_lifetime', '0');
ini_set('session.cookie_path', DIR_WS_ADMIN);

// lets start our session

// set the language
if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) {
if (!tep_session_is_registered('language')) {
or should I just comment out
tep_session_start() ?

thanks for the help. I'd like to get this fixed, but until that happens...I need to disable.

11-15-2008, 10:55 AM
None of that works. You lose your session when PHP does garbage collection - most servers are set to 24 mins of inactivity (as in you have not "refreshed" the screen or naviagated)

This is NOTHING to do with osCMax but everuthing to do with security and PHP settings.

In php.ini find and change:
session.gc_maxlifetime = 1440
(this is the default of 24 mins)

Is it NOT recommented to make this more than an hour or two. (3600 to 7200 seconds)

11-17-2008, 11:50 AM
A workaround if you use Firefox is to have a second admin tab open and use the Firefox "Page Reload" add-on to keep you logged on for as long as your browser is open. Not a solution, but just an idea. I find it useful for a lot of web pages with sessions.

11-17-2008, 02:03 PM
That work too....!!!

12-02-2008, 10:42 AM
Thanks for the support guys...sorry it took me so long to get back...had a response types out ages ago, but wanted to wait to confirm some things before I spoke too soon.

I have read all of the advice on setting the main session timeout number in the php.ini, and I have changed it, but some of the clients are seeing issues where they are logged out immediately when they get to certain ages.

Now for full disclosure, I have heavily modified the OSCMax installation with a lot of addons and custom pages. Is OSCMax using a session manager that is any different than what is available in the standard OSC installation? If so, then if we add a contribution, is there something specific that we need to look out for and make sure gets added?

12-02-2008, 12:27 PM
No, sessions are handled the same as in osCommerce, no changes there. Regardless, you need to make sure that the mods you add are properly handling the osC admin session. If not, it will drop you out of the admin to the login screen.

12-02-2008, 01:07 PM
Hi michael, thanks for the reply.

As far as adding contribs that handle the admin session, I have only really had problems with two contribs.

One that I wrote myself, but adapted from an existing contrib framework. This is attached as a txt file to this message. This file takes an address list from a CSV file, lists the addresses, and displays a delet function to clear them out. It's really straight forward, but when the client goes in and clicks the delete button, it kicks them out back tot he login screen. Once they have logged in again, they can go back into the address delete screen and delete the file without any issues.

Can you take a quick look and smack me in the right direction as far as where to look for session compatibility?

The second contrib is an image manager that I added and is based on the file manager already installed. But lets nail first thing, and I'll see if that leads me to the solution for the second. Thanks.

01-14-2009, 10:45 AM
Hey guys, I figured out what was happening with the admin timeouts!

I have had issues in the past with the timeout being too short, but some of my clients were being logged out almost immediately, usually at the beginning of the day. Here is what happened:

They had bookmarked the Admin control panel login page that had an osCAdminID session ID attached to it in the address. Example:

https://www.yourdomain.com/catalog/admin/login.php?osCAdminID=a2484f61e729baf3be8c0e9825b79 704

This session ID only pops up once a day or once per session time in the address bar. When the client follows the bookmark, it logs them in. Then when they try to do anything on the web site, like submit a form to be processed, it will kick them out because the session in the address bar had expired a long time ago (like months or years), then it will issue a new session that is recorded in the database, and they will be fine for the rest of the day. But the next day, they follow the bookmark, and the process happens all over again.

I have never been able to reproduce this problem on my machines because I always just type in the address directly sans session ID attached. This explains why some people had the problem and some didn't.

So, if someone ever has this problem, make sure you check their bookmarks and get rid of any session ID they might have in their target URL.

01-14-2009, 02:08 PM
That is an issue - but not a problem. If you bookmark a SID then when you go to it - you have to relogin then your fine. Session only are good for 24 min (in standard php installs). There is no way around that other than modifying the php setting. It is a SECURITY issue and FEATURE! Most things your constantly going back an forth and refreshing the session (resetting the timer). It is only with WYSIWYG editor and people thinking and editing things and taking 30 to 1 hour on ONE entry. The SIMPLEST solution - it to create MOST of your text - off line -then paste it into the HTML editor. Then tweak and modify it from there. OR using Firefox "Open link in New Tab" and use the refresh every xxx seconds features.

01-14-2009, 02:28 PM
Yup...I Agree with everything you said.

I did modify the session timeout in the sessions.php to 16 hours and it pretty much holds true. I can usually log into the admin once a day and leave it for a while and come back without having to relogin. This works well for my clients, but only in the login. I left the session timeout in the php.ini close to standard. It's quite a releif to finally figure this out.

02-14-2009, 05:05 AM
That is an issue - but not a problem. If you bookmark a SID then when you go to it - you have to relogin then your fine. Session only are good for 24 min (in standard php installs). There is no way around that other than modifying the php setting. It is a SECURITY issue and FEATURE! Most things your constantly going back an forth and refreshing the session (resetting the timer). It is only with WYSIWYG editor and people thinking and editing things and taking 30 to 1 hour on ONE entry. The SIMPLEST solution - it to create MOST of your text - off line -then paste it into the HTML editor. Then tweak and modify it from there. OR using Firefox "Open link in New Tab" and use the refresh every xxx seconds features.

I also am experiencing "negative feedback" from my very first install of this for someone, (and it ticks me off also to have to manually change or modify files for time settings on this) and this is just a suggestion of possiblitly to add into a future release.

1) To modify existing "session time" and store in the DB, handled via the admin for both admin and EU

2) Possibly use a "verify IP connection" to ADMIN "leave session live" etc.

3) In my install, the client is not modifying the products..but rather using the existing "database" as a secondary sales tool also. What I mean by this is, should the client visit the site...and register an account (without purchasing immediately), the sales people are then instructed to follow thru with the lead created by the cart. (Many times by phone)

And by the time the "sales pitch is given" and the customer is walked thru the course of a sale online, or should the sale be "entered by admin end", the time outs...really are a pain in the butt...(lol)

Just some thoughts for the future, instead of having to use another browser with an auto refresh, or having to F5 every XX minutes.

02-15-2009, 12:57 AM
This is a PHP thing - not a osCMax thing. PHP is normally set for "garbage" collection after 24 mins. If session is inactive then it will be cleaned up. Solution is to use COOKIE bases session----or Increase the setting in php.ini file.

02-15-2009, 01:57 AM
Solution is to use COOKIE bases session----

Can I use both? I am storing in MySQL now ???

If I "stop sessions" in MySQL, will I lose anything? Like "Who's online" which is keeping track of the "session"

And Thx for the reply, here is a link that you had posted before.


I am using stored sessions on DB if I remember.

Now, for my "mental health" (laugh) I have went into Admin > Configurations > Sessions and I have (7) items via the panel I can manually set.

What do they do? What are they for?

sessions [osCMax and osCommerce documentation] (http://wiki.oscdox.com/?do=search&id=sessions)

Wiki results = 1, nothing to do with what they do.

So, now I come back to this oscmax.com and see "DOCS" which as you guys know does: osCMax Documentation - osCMax - osCommerce Maximized (http://www.oscmax.com/book)

Making this /book directory "searchable" would be nice? As I tried to use the "advanced search", but it contains forums...and I am looking for "proper documentation"

So, I goto 01 Administrator:

01 Administrator - osCMax - osCommerce Maximized (http://www.oscmax.com/documents/oscmax_administrators_guide/oscmax_administrators_guide/01_administrator)

I then click thru (4 or 5 nexts) and get to where I would like to read on more.

02 Configuration - osCMax - osCommerce Maximized (http://www.oscmax.com/documents/oscmax_administrators_guide/oscmax_administrators_guide/02_configuration)

In which has "Sessions"

A suggestion for ?? >> (maybe it does exist already?)
http://www.oscmax.com/book (http://www.oscmax.com/book) is to #href they corresponding "Left Info Box (menu items)" from ADMIN panel to get direct?

Great, (bingo)...I think I am getting somewhere:

15 Sessions - osCMax - osCommerce Maximized (http://www.oscmax.com/documents/oscmax_administrators_guide/oscmax_administrators_guide/02_configuration/15_sessions)

But? It really only says (describes) the same as when you highlight each item in the admin > config > sessions...

Now, long story short =

This is not really suggested. What is suggested to to is to save what your doing evey 15 min or so (like when your using the ONLINE HTML or text editor) - this with "refresh" the session lifetime - then click your bowsers "back button" to return back where you was. Or do MOST of your editing OFF LINE and cut and paste it in or FTP it.

Which is a closed thread > http://www.oscmax.com/forums/oscommerce-2-2-modification-help/2445-session-id-admin-login.html

Seems like things "get closed" with no resolvve..

He is mentioning the the same thing.

I agree? That "editing offline" and adding when needing will work, but if you are working in an office, answering the phone.. and also administrating a store and that is your job... to enter orders when the phone rings...

There must be a simple solution to institute a "keep alive" other than refresh....( or auto refresh ), as if it refreshes, and data is no entered in XX amount of time...all is still lost?

Please remember, these (this post) helps others also.

02-15-2009, 05:07 PM
Admin LOGIN connection is using a totally different session - IT uses PHP build in session handling and not using SID and http cookies to keep track. With SID and cookie information are storing session information in MySQL and the SID on the user's PC. This does not rely on php session as we can recreate the session based on the cookie info. Storing this connection in MySQL and the user's PC is NOT secure. You step away and anyone could come by (virtual or physically) and modify things that maybe they should not. If you put it really high - and some one leave the PC login in say a weekend - a person could hack in to the PC and steal that connection and possibly hack the site - say a days or week later...

We did not create the ADMIN login and how it handles it connection. But that is HOW it basically works. If you would like to change to use a cookie based login - go ahead.

The easiest and MOST secure solution - edit the php.ini values. Like suggested in MANY posting. Suggested MAX is 1 hour. (There is OTHER issues if you put this way too large - like being lock out of a server until garbage collection is allowed to flush out old data. There exist a possibility (though remote) of being hijacked etc...)

I work with accountants all day and sensitive data - the windows terminal services (Microsoft product) is set to lock after 15 minutes and have to re-login - it is a SECURITY feature. Yes it is a PITA. But is secure.

Statistics say the AVERAGE call last about 6-12 minutes. If a sales/phone call takes 1 or 2 hours - Wow that is like maybe 4-6 sales a day. Change the value in php.ini - it is not hard.

Like I said to you - WE don't close post when "RESOLVE" - we don't mark any post as being "resolve". Post "get closed" automatically after a year since last post.

This is a USER to USER support forum. Feel free to answer other peoples issues or questions - add value to the posting. Regurgitating searches, links and questions does not help.