4

I have set session timeout time for 20 Minutes as below.Sometime the session timeout is happening in two or three minutes.

ini_set('session.gc_maxlifetime',   1200);

ini_set('session.cookie_lifetime',  1200);

ini_set('session.gc_probability',   1);

ini_set('session.gc_divisor',   100);

What could be the issue?

Salman A
  • 262,204
  • 82
  • 430
  • 521
user1536854
  • 99
  • 2
  • 6

1 Answers1

1

The 20 minute expiration does not reset when the user browses other pages. The problem is explained in this comment:

As PHP's Session Control does not handle session lifetimes correctly when using session_set_cookie_params(), we need to do something in order to change the session expiry time every time the user visits our site. So, here's the problem.

$lifetime=600;
session_set_cookie_params($lifetime);
session_start();

This code doesn't change the lifetime of the session when the user gets back at our site or refreshes the page. The session WILL expire after $lifetime seconds, no matter how many times the user requests the page. So we just overwrite the session cookie as follows:

$lifetime=600;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);

And now we have the same session cookie with the lifetime set to the proper value.

Better, leave the session.cookie_lifetime to 0 so that the cookie expires when the browser is closed. Otherwise, users who assume that closing the browser will end their session will be surprised when they re-open their browser before the 20 minute timeout.

Edit regarding gc_xxxx settings

gc_probability = 1, gc_divisor = 1, gc_maxlifetime = 1200

1/1 implies PHP will check the date of session files for every session_start call.

gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200

1/100 means PHP will check the date of session files randomly but approximately once per 100 session_start calls.

The date check itself consist of comparing session file's accessed time with gc_maxlifetime; it deletes the file if wasn't accessed in the past (e.g.) 20 minutes.

Having said that, if the cookie expires because of timeout (or closing of browser when timeout was 0) the session expires immediately since the browser stops sending the expired session id cookie; in which case PHP issues a new session id cookie. The session id file associated with the expired cookie becomes abandoned, does not get accessed anymore; therefore garbage collected anytime as described above.

Last, your specific issue can be resolved (i) by looking at the expiry date of session id cookie (ii) and remembering that cookies with timeout are not renewed when page is visited/refreshed.

Salman A
  • 262,204
  • 82
  • 430
  • 521
  • How does that answer the question? – Madara's Ghost Mar 04 '13 at 09:10
  • 1
    Yes it did not, I have now added the reference. – Salman A Mar 04 '13 at 09:12
  • Am not used session_set_cookie_params and i have checked with session.cookie_lifetime = 0 also. But some time the timeout is happening.I have some other doubt also like, 1. My understanding is ,when we set session.gc_probability = 0.The GC will not happen. If GC not happen Session timeout also will not happen? – user1536854 Mar 04 '13 at 09:55
  • [Gumbo's answer](http://stackoverflow.com/a/1516338/87015) should explain how sessions and GC work. Plus you also need to check the cookies that are being exchanged. The sessions which appear to be expiring after 1 minute could be the ones that were started 19 minute ago. You are setting `session.cookie_lifetime` via `ini_set` which is same as using `session_set_cookie_params`. – Salman A Mar 04 '13 at 10:06
  • For session.gc_probability = 0 session timeout will happen or not? How gc_probability & gc_divisor affecting GC. let say am setting value as below. Case 1 : gc_probability = 1 , gc_divisor = 100 ,gc_maxlifetime = 1200; Case 2 : gc_probability = 1 , gc_divisor = 1 ,gc_maxlifetime = 1200; What is the difference i can see in session timeout with above two cases. – user1536854 Mar 04 '13 at 10:15
  • Thanks for your answer .it was helpful and one my last doubt.You have mentioned, for below case GC will happen approx. once per 100 calls. gc_probability = 1, gc_divisor = 100, gc_maxlifetime = 1200; Am accessing the page once and refreshing after 20 min. Actually this is second call for my page,Now the GC will delete my file or not because GC will happen once for 100 cals? 1/100 probability is specific to each session or global one.It means The GC will happen one of 100 call from same session or calls from all session(different uses's session)? – user1536854 Mar 04 '13 at 13:22
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/25524/discussion-between-user1536854-and-salman-a) – user1536854 Mar 04 '13 at 13:27