Timeout in globals not being honored?

In globals we have the Idle Session Timeout value set to 7200 seconds. The session times out long before this. Is it not honoring this value? Is there something else that needs to be configured. Clinical and front office staff claim that this did not happen in v5.0.2.

OpenEMR Version
6.0.0 patch 1

Chrome, latest version

Operating System
Reproduced on macOS, W10, etc.

Not sure what logs to check on this one.

I do see some of these in the logs:
[02-Jun-2021 16:25:09 America/Denver] PHP Warning: session_destroy(): Trying to destroy uninitialized session in /home/xxxxxxx/public_html/emr/src/Common/Session/SessionUtil.php on line 231

And a whole bunch of these:
[02-Jun-2021 16:24:59 America/Denver] OpenEMR CSRF token authentication error

hi @midder, some recent work fixing the timeout will be in the next patch.

Thanks @stephenwaite. Are you aware of a workaround in the meantime? I’m getting a bit of grief over the issue from providers having their notes disappear while with patients.

Is this related to PR 4439?

try these 4 commits (in this order) from the rel-600 branch:

  1. Fix for "Site ID is missing from session data!" when session expires.… · openemr/openemr@033d2fb · GitHub
  2. fix for removal of require in recent work to auth.inc · openemr/openemr@bb46c12 · GitHub
  3. updated timeout mechanism (#4439) · openemr/openemr@1a2a32f · GitHub
  4. incremented v_js_includes · openemr/openemr@748340a · GitHub

Thanks @brady.miller. Will give it a try and report back.

Seems to work well from my own testing.

I’ll wait to hear from the providers and other staff in the morning and then will mark as the solution if no issues.

Thanks for the help.

Guess I spoke too soon there. Staff still saying it’s no different than yesterday.

How close are we to patch 2?

hello @midder, pretty close, here’s a beta version of what will be created.

patch2-beta.zip (688.5 KB)

For what it’s worth, I had a problem like this (losing notes due to time out) from the time I began using OpenEMR last year (5.2, then 6.0). I checked all the OpenEMR settings, and what finally worked was changing a setitng outside of OpenEMR - an Apache config, I think. I will see if I can find what it was - unless you think this can’t be the problem - for example, if everything was working fine before.

Addendum: I think it was in php.ini, session.gc_maxlifetime = 14400 . This seemed to solve the problem I was having, not sure if yours is the same.

We never had issues prior to v6. Our EMR timeout is 2 hours and has been for years.

Since this has been acknowledged by the developers I would think that the particular issue we are hitting here is code related. I’ll review our php settings as well.

The php.ini setting change has fixed your issue in v6?

I installed Patch 2 which I believe was supposed to fix a Timeout issue. We were having timeouts in the middle of inputting data. I haven’t seen that yet by our trainer is keeping an eye open. The system does still timeout before the 7200 secs limit, after about 1.5 hours. Have others continued to have timeout issues even after applying the patch?

@JGP yes my users are also still complaining about timeouts after patch 2.

It would be nice if we could actually log people out instead of the message that users receive about the session ID and then needing to log out as an additional step.

Hi @midder, did you clear the browser cache?

@stephenwaite thanks for the reply.

I asked them to do this after your suggestion. I haven’t heard any complaints since then, so perhaps that was the issue.

Thanks again.

1 Like

We’re on v6.0.0 and after patch2 we’re timed out at 24 minutes. (Session ID expired)
Clearing cache & cookies had no effect. I believe SJC admin has the answer because I found that our /etc/php/7.4/apache2/php.ini file setting for " session.gc_maxlifetime = 1440" which is 24 minutes. After changing the value to 14400 we get 4 hours now.

You are correct @hitechelp, The session.gc_maxlifetime will destroy session. I don’t think setting the value from code will work because I believe a server restart is required however, I’ll look into setting to openemr session timer and if restart is required for our next patch.

From my testing, session timeout is working very well.

By that, do you mean that users are getting booted with a “Site ID missing from session” warning at the time set in globals? And from our experience, we were getting booted even though we were actively working in the system which would indicate that this was a php.ini issue as opposed to an OpenEMR setting.

What is your php.ini session.gc_maxlifetime setting? and when are users booted?

This is old bug however; if the php default session.gc_maxlifetime times out then the PHP session file is expired but the cookie lifetime(set to 14,400) will have no effect on the PHP session file which, in the end, is the session data repository. This will most likely cause the “Site ID missing from session” message and not a log out.

Again, correct assumption IMO.

I need to check and see if my modifications dealing with this type of issue was in patch 2 or even if I brought back to v6.