1

What is the scope of the session variable $_SESSION['']? If I have a bunch of webpage surveys strung together, one after the other, will a session variable expire after a certain amount of time or will it exist as long as you don't close the browser? What happens if you hibernate your computer?

I seemed to have lost a session variable after hibernating and I'm not sure if that's the issue or if there is some other problem.

Mallikarjuna Reddy
  • 1,212
  • 2
  • 20
  • 33
user1015214
  • 2,733
  • 10
  • 36
  • 66
  • as far as i know if you have session start on all your pages and no session destroy, shouldn´t end session unless you close your browser – Sebastian Uriel Murawczik Mar 14 '13 at 19:19
  • 1
    You may find [this question](http://stackoverflow.com/questions/1516266/how-long-will-my-session-last) useful? – ajp15243 Mar 14 '13 at 19:21
  • Do you need a session start on every page, or on every page you want to actually use the session variable? I don't have it on every page but it seems to keep passing on (until my hibernate issue etc..) – user1015214 Mar 14 '13 at 19:22

3 Answers3

2

The session as a whole (not just single variables) can be continued or lost for many reasons.

In the default configuration, the session is meant to be "lost" when the browser closes because the browser will remove the cookie identifying the session. It is still somewhere on the server until the session garbage collection deletes it. Because of that, a browser that is idle for a long time might still loose it's session because PHP will remove ones that haven't been used lately.

Check the configuration. In particular, you might want to adjust "session.gc_maxlifetime" and "session.cookie_lifetime" to your needs if you need to keep your sessions around longer.

jimp
  • 16,999
  • 3
  • 27
  • 36
1

Session variables don't expire. Sessions expire subject to session_gc.maxlifetime and other configuration options.

Sessions are not tied to the browser. However, the browser might choose not send the required information to the server for the server to resume an earlier session. This typically happens when the browser treats all cookies as session cookies.

The term session cookie in this context does not mean a cookie that holds a session identifier or session variables. Rather it's a cookie that is gone as soon as the browser is closed (i.e. the users session in front of the browser ends).

Oswald
  • 31,254
  • 3
  • 43
  • 68
  • Where and how do I set the session_gc.maxlifetime? I am running a program on someone elses server and don't have access to the php.ini file. – user1015214 Mar 14 '13 at 19:41
  • Use [`ini_set()`](http://www.php.net/manual/en/function.ini-set.php). – Oswald Mar 14 '13 at 20:25
1

Depends on:

  • the lifetime of the cookie, 0 should mean 'until the browser closes', but firefox / mozilla tend to view it (due to their 'restore session' functionality) as 'forever' (which is IMHO a security concern so you should regenerate your id on receiving an empty session array). So: user-agent dependant.
  • the configured garbage collection of stale sessions. Note you can let the webserver handle this (X percent change of cleaning up stale data), which makes it a bit unpredictable. However, some packages (PHP on Debian for instance) just use a cronjob to remove stale sessions, which could wreak havoc if your custom session.gc_maxlifetime settings are ignored due to to another server-wide setting.

So, in other words, your session still lives if your UA has decided to keep the cookie, and no process has decided to remove the data. Which requires you to know the settings of both UA and your server.

Wrikken
  • 69,272
  • 8
  • 97
  • 136