How long will my session last?

Question

Can someone please tell me how long my session will last from the data below? - I'm not sure which one tells me

session.auto_start  Off Off
session.bug_compat_42   Off Off
session.bug_compat_warn On  On
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/lib/php/session    /var/lib/php/session
session.serialize_handler   php php
session.use_cookies On  On
session.use_only_cookies    Off Off
session.use_trans_sid   0   0

score 89 · Accepted Answer · edited May 23 '17 at 10:31

89

In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.

Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.

Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.

edited May 23 '17 at 10:31

Community

1
1

answered Oct 04 '09 at 12:48

Gumbo

643,351
109
780
844

2

How does session.cache_expire interact with this? – matteo Feb 14 '14 at 08:36
10

`session.cache_expire` does only influence HTTP caching of the server response but doesn't have any influence on the session expiration. – Gumbo Feb 14 '14 at 09:22
1

Oh, I see, cache_expire works together with cache_limiter. PHP's documentation is very unclear about that. I couldn't decypher a single word of what is documented here: http://es1.php.net/manual/en/function.session-cache-expire.php until I read this: http://es1.php.net/manual/en/function.session-cache-limiter.php Thanks @Gumbo – matteo Feb 14 '14 at 17:04
3

@matteo Unfortunately, there are many cases in which the manual is rather unclear. – Gumbo Feb 14 '14 at 18:09
3

It's worth mentioning that in the Debian/Ubuntu distro, by default PHP disables its session garbage collection mechanism. Instead, it runs a cron job every half hour (see the script /etc/cron.d/php5) to purge session files in the /var/lib/php5/ directory. (source: https://www.appnovation.com/node/2564) – greg Mar 12 '18 at 14:25
1

@greg as of debian 10 buster, using PHP version 7.3, the cron is now located at `/etc/cron.d/php` and the session files `/var/lib/php`. the source's [link](https://www.appnovation.com/blog/session-garbage-collection-php) has also moved – pulsar Nov 13 '19 at 15:40

score 21 · Answer 2 · answered Oct 04 '09 at 12:21

21

This is the one. The session will last for 1440 seconds (24 minutes).

session.gc_maxlifetime  1440    1440

answered Oct 04 '09 at 12:21

Lukáš Lalinský

40,587
6
104
126

24 minutes is a weird default and it's also a rather short time. I have a theory about this: The person that set this default thought it was expressed in minutes. 1440 minutes just happens to be exactly one day, which is an actually reasonable default. But at this point nobody dares to fix it. – jlh Jul 24 '23 at 08:17

Øystein Riiser Gundersen · Answer 3 · 2009-10-04T12:42:46.503

8

If session.cookie_lifetime is 0, the session cookie lives until the browser is quit.

EDIT: Others have mentioned the session.gc_maxlifetime setting. When session garbage collection occurs, the garbage collector will delete any session data that has not been accessed in longer than session.gc_maxlifetime seconds. To set the time-to-live for the session cookie, call session_set_cookie_params() or define the session.cookie_lifetime PHP setting. If this setting is greater than session.gc_maxlifetime, you should increase session.gc_maxlifetime to a value greater than or equal to the cookie lifetime to ensure that your sessions won't expire.

edited Oct 04 '09 at 12:42

answered Oct 04 '09 at 12:21

Øystein Riiser Gundersen

2,187
17
14

Thanks, when I close the browser and open up the page again, I still see the same sessionId? – Keith Donegan Oct 04 '09 at 12:24
1

If your browser was still running, then, yes. The session cookie only expires when the browser application quits. – Øystein Riiser Gundersen Oct 04 '09 at 12:28
The cookie yes, but the session itself will expire after 24 minutes without any activity even if you keep the browser open. – Lukáš Lalinský Oct 04 '09 at 12:35
That's correct (and something I forgot to mention). I've edited my answer with an explanation of these settings. – Øystein Riiser Gundersen Oct 04 '09 at 12:45
2

It’s not the access time but the moodification time. – Gumbo Oct 04 '09 at 12:51

score 8 · Answer 4 · edited Jan 27 '15 at 15:29

8

You're searching for gc_maxlifetime, see http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime for a description.

Your session will last 1440 seconds which is 24 minutes (default).

edited Jan 27 '15 at 15:29

Mirek Rusin

18,820
3
43
36

answered Oct 04 '09 at 12:22

svens

11,438
6
36
55

How long will my session last?

4 Answers4

Linked

Related