how long does a session last

I’ve concluded that leaving the session mechanism in its default state is alright as long as I’m aware of the limitations. Specifically I can’t count on the session lasting more than 24 minutes; And, if I the user terminates the browser then the session will be gone.

Furthermore, it may not be that bad—because every time the session file gets modified we have 24 minutes. Notice I said “modified” (I didn’t say “accessed”).

Note that this post does not talk about what I should do if I want to have the session forced to time itself out after a set amount of time. Also, I haven’t addressed the need for changing the session ID to thwart a hacker’s attempt to do session fixation.

I’m worried that my user may be merrily clicking submit to go from one page to another. And then all of a sudden the garbage collector (gc) deletes the session file. Hence the Q.: How long does a session last?

There are two things which can cause a session to be lost:

  1. The gc deletes the session file.
  2. The session cookie expires.
  3. The OS-controlled cleanup of /tmp directory.

The gc deletes the session file.

From Gumbo and colithium say:

In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.

Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability divided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.

Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.

The session cookie expires.

From someone with weird characters in their username says (including an edit by someone else):

If session.cookie_lifetime is 0, the session cookie lives until the browser is quit.

EDIT: Others have mentioned the session.gc_maxlifetime setting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than session.gc_maxlifetime seconds. To set the time-to-live for the session cookie, call session_set_cookie_params() or define the session.cookie_lifetime PHP setting. If this setting is greater than session.gc_maxlifetime, you should increase session.gc_maxlifetime to a value greater than or equal to the cookie lifetime to ensure that your sessions won’t expire.

The OS-controlled cleanup of /tmp directory.

Excerpt from another stackoverplow post.

Please note that at least two settings are crucial to setting the session time, and maybe three. The two certainly crucial ones are session.gc_maxlifetime and session.cookie_lifetime (where 0 is not the same as some long number). For complete, 100% certainty of allowing long times, it may also be necessary to set the session.save_path, due to varying OS-controled cleanup time on the /tmp directory where session files get stored by default. – Tchalvak Apr 7 at 8:04


About samehramzylabib

See About on
This entry was posted in PHP Sessions Cookies and Header and tagged , . Bookmark the permalink.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s