I’ve concluded that leaving the session mechanism in its default state is alright as long as I’m aware of the limitations. Specifically I can’t count on the session lasting more than 24 minutes; And, if I the user terminates the browser then the session will be gone.
Furthermore, it may not be that bad—because every time the session file gets modified we have 24 minutes. Notice I said “modified” (I didn’t say “accessed”).
Note that this post does not talk about what I should do if I want to have the session forced to time itself out after a set amount of time. Also, I haven’t addressed the need for changing the session ID to thwart a hacker’s attempt to do session fixation.
I’m worried that my user may be merrily clicking submit to go from one page to another. And then all of a sudden the garbage collector (gc) deletes the session file. Hence the Q.: How long does a session last?
There are two things which can cause a session to be lost:
- The gc deletes the session file.
- The session cookie expires.
- The OS-controlled cleanup of
The gc deletes the session file.
In general you can say
session.gc_maxlifetimespecifies the maximum lifetime since the last change of your session data (not the last time
session_startwas called!). But PHP’s session handling is a little bit more complicated.
Because the session data is removed by a garbage collector that is only called by
session_startwith a probability of
session.gc_divisor. The default values are
100, so the garbage collector is only started in only 1% of all
session_startcalls. That means even if the the session is already timed out in theory (the session data had been changed more than
session.gc_maxlifetimeseconds ago), the session data can be used longer than that.
Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.
The session cookie expires.
0, the session cookie lives until the browser is quit.
EDIT: Others have mentioned the
session.gc_maxlifetimesetting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than
session.gc_maxlifetimeseconds. To set the time-to-live for the session cookie, call
session_set_cookie_params()or define the
session.cookie_lifetimePHP setting. If this setting is greater than
session.gc_maxlifetime, you should increase
session.gc_maxlifetimeto a value greater than or equal to the cookie lifetime to ensure that your sessions won’t expire.
The OS-controlled cleanup of /tmp directory.
Please note that at least two settings are crucial to setting the session time, and maybe three. The two certainly crucial ones are
0is not the same as some long number). For complete, 100% certainty of allowing long times, it may also be necessary to set the
session.save_path, due to varying OS-controled cleanup time on the
/tmpdirectory where session files get stored by default. – Tchalvak Apr 7 at 8:04