-1

we have set session_gcmaxlife=5 in php.ini but session variable on server are not destroyed after 5 seconds

We want to set the maximum life of the session in PHP to be 5 seconds.

Varun
  • 111
  • 1
  • 3
  • 9
  • 3
    you may want to have a look at this http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes – Ibrahim Azhar Armar Apr 26 '12 at 14:23
  • http://www.php.net/manual/en/session.configuration.php - session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and **potentially** cleaned up – Mike B Apr 26 '12 at 14:23
  • For what you need sessions, that are nearly not usable? – KingCrunch Apr 26 '12 at 14:26
  • @Ibrahim Azhar Armar .... we are using that soltion but if someone close the browser then we will not be able to run that time out code. So we need something on the server. – Varun Apr 26 '12 at 14:37
  • @srini time can be altered just need the logic. – Varun Apr 26 '12 at 14:58
  • ini_set(’session.gc_maxlifetime’, 30*60); for 30minutes – srini Apr 27 '12 at 13:34

4 Answers4

4

In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.

Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.

Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.

Quote: How long will my session last?

The best solution is to implement your own timeout mechanism. It's simple.

$_SESSION['created'] = time();

Now you only need to have a if statement to check whenever the 5 seconds have passed and when it does, destroy the session data.

if (time() - $_SESSION['created'] > 5) {
    session_destroy();
    session_unset();
}
Community
  • 1
  • 1
josmith
  • 1,049
  • 7
  • 17
  • +1 pretty much what I said (at about the same time) but prettier ;) – CD001 Apr 26 '12 at 14:50
  • we are using that soltion but if someone close the browser then we will not be able to run that time out code. So we need something on the server. – Varun Apr 26 '12 at 15:01
  • 1
    Umm - that _is_ on the server; if they close the browser then the session is destroyed anyway - assuming you set the cookie lifetime to 0 in `session_set_cookie_params()` - as the cookie will be deleted when the browser is closed. The only proviso is to ensure `session.use_trans_sid = "0"` so that URI passing the session won't resurrect it. – CD001 Apr 26 '12 at 15:15
1

You can use the setcookie() function. It takes a parameter for time out.

$timeout = 5; // 5 seconds 
if (isset($_COOKIE[session_name()])){
    setcookie(session_name(), $_COOKIE[session_name()], time() + $timeout, "/");
}

then you can use cookie manager+ in firefox to see if the session is destroyed.

source

jarchuleta
  • 1,231
  • 8
  • 10
  • Rewriting the session cookie is actually a bad idea... it can cause problems as I've found previously. – CD001 Apr 26 '12 at 14:44
  • I've used the solution and worked extraordinarily well. @CD001 What problems did you run into? – jarchuleta Apr 26 '12 at 16:18
  • to be specific, this one :) http://webmasters.stackexchange.com/questions/21133/session-cookie-being-dropped-when-moving-under-the-ssl – CD001 Apr 27 '12 at 11:12
1

OK - to me a 5 second session sounds rather pointless (as a session is supposed to maintain the application state in a stateless application... yeah).

Your best bet is to probably save an expiry timestamp (time() + 5 seconds) in the session, something like $_SESSION['expires'] - then whenever you start a session, check to see if that variable exists and, if so (and is in the past), kill the session off and start again.

[EDIT]

This is one other possibility that might work, but you'd need to create an object to manage your session - then you could have a kill() method that could be invoked if the session has expired and in the __destruct() method - it's not fullproof as the destructor will only be invoked when the object is destroyed - but it should work.

class Session {

  private static $_instance;

  //private constructor to prevent external instantiation
  private function __construct($sSessName, $sSavePath, $iGCLifetime, $sCookieDomain, $sCookiePath) {

    //session parameters
    ini_set("session.save_path", $sSavePath);
    ini_set("session.gc_maxlifetime", $iGCLifetime);
    ini_set("session.use_trans_sid", false);

    //session cookie parameters
    ini_set("session.use_cookies", true);
    ini_set("session.use_only_cookies", true);
    ini_set("session.cookie_domain", $sCookieDomain);
    ini_set("session.cookie_path", $sCookiePath);
    ini_set("session.cookie_lifetime", 0);

    //set the session name
    session_name($sSessName);

    //set the session cookie paramaters
    session_set_cookie_params(0, $sCookiePath, $sCookieDomain);

    //start the session
    session_start();

    //check to see if the session has expired - and if so kill it
    if(isset($_SESSION['expires']) && time() > $_SESSION['expires']) {
      $this->kill();
    }

    //if not - set the expiry time in the session
    else {
      $_SESSION['expires'] = time() + 5;
    }
  }

  //destructor function _should_ kill the $_SESSION when the object is destroyed
  public function __destruct() {
    $this->kill();
  }

  //session killer
  public function kill() {
    //kill the session cookie
    setcookie(session_name(), null, time()-3600);

    //kill the session
    session_unset();
    session_destroy();
  }

  //Singleton instance getter
  public function getInstance() {
    if(!self::$_instance) self::$_instance = new self();
    return self::$_instance;
  }
}
CD001
  • 8,332
  • 3
  • 24
  • 28
  • we are using that soltion but if someone close the browser then we will not be able to run that time out code. So we need something on the server. – Varun Apr 26 '12 at 15:02
-1

Include a timestamp attribute of the $_SESSION variable. Check it periodically and expire the session according to a conditional:

$_SESSION['mytimestamp'] = time();
Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
andrewsi
  • 10,807
  • 132
  • 35
  • 51