How long will my session last?

Question

Can someone please tell me how long my session will last from the data below? - I'm not sure which one tells me

session.auto_start  Off Off
session.bug_compat_42   Off Off
session.bug_compat_warn On  On
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/lib/php/session    /var/lib/php/session
session.serialize_handler   php php
session.use_cookies On  On
session.use_only_cookies    Off Off
session.use_trans_sid   0   0

score 89 · Accepted Answer · edited May 23 '17 at 10:31

89

In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.

Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.

Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.

edited May 23 '17 at 10:31

Community

1
1

answered Oct 04 '09 at 12:48

Gumbo

620,600
104
758
828

2

How does session.cache_expire interact with this? – matteo Feb 14 '14 at 08:36
9

`session.cache_expire` does only influence HTTP caching of the server response but doesn't have any influence on the session expiration. – Gumbo Feb 14 '14 at 09:22
1

Oh, I see, cache_expire works together with cache_limiter. PHP's documentation is very unclear about that. I couldn't decypher a single word of what is documented here: http://es1.php.net/manual/en/function.session-cache-expire.php until I read this: http://es1.php.net/manual/en/function.session-cache-limiter.php Thanks @Gumbo – matteo Feb 14 '14 at 17:04
3

@matteo Unfortunately, there are many cases in which the manual is rather unclear. – Gumbo Feb 14 '14 at 18:09
2

It's worth mentioning that in the Debian/Ubuntu distro, by default PHP disables its session garbage collection mechanism. Instead, it runs a cron job every half hour (see the script /etc/cron.d/php5) to purge session files in the /var/lib/php5/ directory. (source: https://www.appnovation.com/node/2564) – greg Mar 12 '18 at 14:25
1

@greg as of debian 10 buster, using PHP version 7.3, the cron is now located at `/etc/cron.d/php` and the session files `/var/lib/php`. the source's [link](https://www.appnovation.com/blog/session-garbage-collection-php) has also moved – verbumSapienti Nov 13 '19 at 15:40

score 21 · Answer 2 · answered Oct 04 '09 at 12:21

21

This is the one. The session will last for 1440 seconds (24 minutes).

session.gc_maxlifetime  1440    1440

answered Oct 04 '09 at 12:21

Lukáš Lalinský

39,293
6
100
123

Øystein Riiser Gundersen · Answer 3 · 2009-10-04T12:42:46.503

8

If session.cookie_lifetime is 0, the session cookie lives until the browser is quit.

EDIT: Others have mentioned the session.gc_maxlifetime setting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than session.gc_maxlifetime seconds. To set the time-to-live for the session cookie, call session_set_cookie_params() or define the session.cookie_lifetime PHP setting. If this setting is greater than session.gc_maxlifetime, you should increase session.gc_maxlifetime to a value greater than or equal to the cookie lifetime to ensure that your sessions won't expire.

edited Oct 04 '09 at 12:42

answered Oct 04 '09 at 12:21

Øystein Riiser Gundersen

2,109
17
14

Thanks, when I close the browser and open up the page again, I still see the same sessionId? – Keith Donegan Oct 04 '09 at 12:24
1

If your browser was still running, then, yes. The session cookie only expires when the browser application quits. – Øystein Riiser Gundersen Oct 04 '09 at 12:28
The cookie yes, but the session itself will expire after 24 minutes without any activity even if you keep the browser open. – Lukáš Lalinský Oct 04 '09 at 12:35
That's correct (and something I forgot to mention). I've edited my answer with an explanation of these settings. – Øystein Riiser Gundersen Oct 04 '09 at 12:45
2

It’s not the access time but the moodification time. – Gumbo Oct 04 '09 at 12:51

score 8 · Answer 4 · edited Jan 27 '15 at 15:29

8

You're searching for gc_maxlifetime, see http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime for a description.

Your session will last 1440 seconds which is 24 minutes (default).

edited Jan 27 '15 at 15:29

Mirek Rusin

17,944
2
41
34

answered Oct 04 '09 at 12:22

svens

10,960
6
35
55

How long will my session last?

4 Answers4

Linked

Related