2

I tried to change the value of session.gc_maxlifetime in php.ini to a small value so I could check if the session timeout was working or not, but the session never seems to expire. I also restarted apache to reload the php.ini. Does anyone know what can be the cause ?

Ashish
  • 1,121
  • 2
  • 15
  • 25
fd_
  • 49
  • 4
  • 10
  • The garbage collection process used to remove old sessions (the `gc` prefix in the directive name) is not triggered every time you start a session. Are you sure it's actually running and failing to remove old data? – Álvaro González Jan 13 '14 at 15:54
  • Thank you for answering me. How can I verify that it is actually running ? Do I have to enable it with gc_enable() ? – fd_ Jan 13 '14 at 16:52
  • `gc_enable()` belongs to a *different* garbage collector. I've added an answer. – Álvaro González Jan 13 '14 at 17:14
  • Does this answer your question? [ini\_set 'session.gc\_maxlifetime' for 1 day](https://stackoverflow.com/questions/24337474/ini-set-session-gc-maxlifetime-for-1-day) – Movahhedi Apr 22 '22 at 12:28

1 Answers1

2

The directive is called session.gc_maxlifetime and the gc prefix provides a little hint on how it works: PHP includes a built-in garbage collection process that takes care of physically removing obsolete session data from disk. But that process is not launched on every PHP request because that'd be an unnecessary overhead (even a single HTML document can trigger the execution of some dozen PHP scripts). Instead, it's executed randomly. That's controlled by the two other directives that start with "gc_":

Quoting from the manual:

session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request.

All this means that you cannot really know whether session.gc_maxlifetime is being honoured until the process runs. And if you're testing it in your local development box the process will run very few times (unlike your live server where there're thousand hits per minute).

A quick way to force it is to make gc_probability equal to gc_divisor so probability becomes 1.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
  • 2
    Thank you! It's much more clear now. I've decided to implement my own timeout finally, but it's good to know how it really works. – fd_ Jan 13 '14 at 20:05