108

I've been doing some research on PHP Session Handling and came across the session.gc_maxlifetime value of 1440 seconds. I've been wondering why the standard value is 1440 and how it is calculated? What is the basis for this calculation?

How long does it make sense to keep sessions? What min/max values for session.gc_maxlifetime would you recommend? The higher the value, the more vulnerable the Web-App is for Session Hijacking, I'd say.

Doug
  • 3,312
  • 1
  • 24
  • 31
Anna Völkl
  • 1,664
  • 2
  • 15
  • 28
  • `+1` Nice question. Something related to, 60 x 12 x 2... Lets wait for interesting answers... :) – Praveen Kumar Purushothaman Feb 05 '13 at 08:55
  • 4
    Here's [the source code line where default value is set](https://github.com/php/php-src/blob/master/ext/session/session.c#L714). Those familiar with GIT may be able to track its history and maybe find a RFC or bug ticket (if any). – Álvaro González Feb 05 '13 at 09:06
  • http://stackoverflow.com/questions/156712/php-what-is-the-default-lifetime-of-a-session might help some earlier discussion done on this – Anil Namde Feb 05 '13 at 09:38
  • 1
    @Anil: This discussion does not answer my question. – Anna Völkl Feb 05 '13 at 10:48
  • 2
    @ÁlvaroG.Vicario I found the change: https://github.com/php/php-src/commit/d8a9548cb2468c7ac7981b7a3c441e918482d7e3 however there is zero relevant associated documentation. `1440` was indeed the original number of minutes for the timeout, so I guess we'll never know unless someone tracks down Sascha Schumann. – Dai Feb 07 '13 at 08:08
  • 6
    I found Sascha's email address and contacted him about this, I'll let people know if he responds. – Dai Feb 07 '13 at 08:13
  • 1
    Why didn't Sascha respond!? – Dennis May 20 '20 at 15:18

2 Answers2

197

The real answer is probably very close to this:

Back during PHP3 days, PHP itself had no session support.

But an open-source library called PHPLIB, initially written by Boris Erdmann and Kristian Koehntopp from NetUSE AG, provided sessions via PHP3 code.

Session lifetimes were defined in minutes, not seconds. And the default lifetime was 1440 minutes, or exactly one day. Here's that line of code from PHPLIB:

var $gc_time  = 1440;       ## Purge all session data older than 1440 minutes.

Sascha Schumann was involved with the PHPLIB project around the period of 1998 to 2000. There's no doubt he was familiar with the PHP3 session code.

Then PHP4 came out in the year 2000 with native session support, but now the lifetime was specified in seconds.

I'll bet someone just never bothered converting minutes to seconds. It's probable that person was Sascha Schumann. Once that value was coded into the Zend engine, it became the configuration (php.ini) default as well.

CXJ
  • 4,301
  • 3
  • 32
  • 62
-20

1440 is used in a time calculation turning seconds into hours/days.

  • 1 day = 24 hours ( hours * 24 = 1 day )
  • 1 day = 1440 minutes ( minutes * 60 * 24 = 1 day )
  • 1 day = 86400 seconds ( seconds * 60 * 1440 = 1 day )

Example:

9 days [* 60] = 540 [* 1440] = 777600 seconds

The same is true in reverse:

777600 seconds [/ 1440] = 540 [/ 60] = 9 days

Community
  • 1
  • 1
Steve Terjeson
  • 11
  • 1