What is the default lifetime of a session?

Question

If I hit a page which calls session_start(), how long would I have to wait before I get a new session ID when I refresh the page?

also see for a more detailed answer: http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes — kontur, Aug 14 '12 at 13:46

score 65 · Accepted Answer · edited May 23 '17 at 12:34

65

Check out php.ini the value set for session.gc_maxlifetime is the ID lifetime in seconds.

I believe the default is 1440 seconds (24 mins)

http://www.php.net/manual/en/session.configuration.php

Edit: As some comments point out, the above is not entirely accurate. A wonderful explanation of why, and how to implement session lifetimes is available here:

How do I expire a PHP session after 30 minutes?

edited May 23 '17 at 12:34

Community

1
1

answered Oct 01 '08 at 08:39

Martin

39,569
20
99
130

22

@chris why don't you suggest an alternative answer? – Brannon Jun 27 '13 at 19:11
5

As Brannon writes, this is completely wrong and should not be the selected answer. This value tells the garbage collector how to behave, it's not about how long your session lives. A session oculd live forever if you weren't adding some mechanism. The key is to handle the session lifetime by your own (ie delete the session data after a period of inactivity) and set session.gc_maxlifetime to a greater or equal value. kontur suggested the best answer on this point, but please unvalidate this answer, it evens leads to security issues. – Ninj Sep 19 '13 at 12:56
3

Wrong answer, this only sets the time when invalid session files get deleted / "garbage collected". Setting this higher will NOT prolong user sessions. – Manuel Arwed Schmidt Jun 15 '14 at 18:45

score 28 · Answer 2 · edited Jun 28 '20 at 15:21

The default in the php.ini for the session.gc_maxlifetime directive (the "gc" is for garbage collection) is 1440 seconds or 24 minutes. See the Session Runtime Configuation page in the manual:

http://www.php.net/manual/en/session.configuration.php

You can change this constant in the php.ini or .httpd.conf files if you have access to them, or in the local .htaccess file on your web site. To set the timeout to one hour using the .htaccess method, add this line to the .htaccess file in the root directory of the site:

php_value session.gc_maxlifetime "3600"

Be careful if you are on a shared host or if you host more than one site where you have not changed the default. The default session location is the /tmp directory, and the garbage collection routine will run every 24 minutes for these other sites (and wipe out your sessions in the process, regardless of how long they should be kept). See the note on the manual page or this site for a better explanation.

The answer to this is to move your sessions to another directory using session.save_path. This also helps prevent bad guys from hijacking your visitors' sessions from the default /tmp directory.

-1, not a correct answer to the question. common misconception. a gc collected session file will not make php generate a new session id, nor is the time limit reliable even when sessions are saved to their own directory. — goat, Apr 29 '12 at 23:23

score 6 · Answer 3 · edited Jan 23 '16 at 06:05

6

it depends on your php settings...
use phpinfo() and take a look at the session chapter. There are values like session.gc_maxlifetime and session.cache_expire and session.cookie_lifetime which affects the sessions lifetime

EDIT: it's like Martin write before

edited Jan 23 '16 at 06:05

A J

3,970
14
38
53

answered Oct 01 '08 at 08:42

jochil

1,074
6
12

Junior Mayhé · Answer 4 · 2012-04-29T22:57:01.013

According to a user on PHP.net site, his efforts to keep session alive failed, so he had to make a workaround.

<?php

$Lifetime = 3600;
$separator = (strstr(strtoupper(substr(PHP_OS, 0, 3)), "WIN")) ? "\\" : "/";

$DirectoryPath = dirname(__FILE__) . "{$separator}SessionData";
//in Wamp for Windows the result for $DirectoryPath
//would be C:\wamp\www\your_site\SessionData

is_dir($DirectoryPath) or mkdir($DirectoryPath, 0777);

if (ini_get("session.use_trans_sid") == true) {
    ini_set("url_rewriter.tags", "");
    ini_set("session.use_trans_sid", false);

}

ini_set("session.gc_maxlifetime", $Lifetime);
ini_set("session.gc_divisor", "1");
ini_set("session.gc_probability", "1");
ini_set("session.cookie_lifetime", "0");
ini_set("session.save_path", $DirectoryPath);
session_start();

?>

In SessionData folder it will be stored text files for holding session information, each file would be have a name similar to "sess_a_big_hash_here".

score 2 · Answer 5 · answered Aug 05 '18 at 21:06

2

You can use something like ini_set('session.gc_maxlifetime', 28800); // 8 * 60 * 60 too.

answered Aug 05 '18 at 21:06

Eduardo Cuomo

17,828
6
117
94

score 1 · Answer 6 · answered Apr 06 '12 at 12:50

But watch out, on most xampp/ampp/...-setups and some linux destributions it's 0, which means the file will never get deleted until you do it within your script (or dirty via shell)

PHP.INI:

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
; http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0

What is the default lifetime of a session?

6 Answers6

Linked

Related