Summary: How to fix short sessions so you aren't prompted frequently for a password


After spending a long time editing long pages, on saving the changes you may be prompted for a read password.


If you control the php implementation, try increasing the session.gc_maxlifetime from the default of 1440 (24 minutes) to something larger than the time you expect to spend on any page (an intermediary save button might also help reduce that time)

You could perform this from the vhost configuration with this command
php_value session.gc_maxlifetime 14000 (10 times more than default)

However, if you have your wiki on a shared server, other people may hijack/purge your sessions, so you'd have to provide a directory for holding the sessions. Create a directory under your wiki area (e.g. wiki.d/.sess/), then put this in config.php:

  session_save_path("$WorkDir/.sess"); // (#)

(For more detail, check php docs for Session handling functions)


Previously the recipe suggested a configuration where the session directory was world-readable and browser-accessible which creates a security vulnerability (anyone could read session data including user names and passwords). If you have used the previous configuration, please review and update it or disable it ASAP. (Unfortunately, this wiki has not kept the history before 2009 so we could see who wrote this page.) The directory wiki.d is considered more secure as it is protected with a .htaccess file, but best is to store session data outside of the document root. It is better to have shorter sessions than to open security holes. --Petko August 02, 2017, at 03:32 PM

See Also



See discussion at FixShortSessions-Talk