5

I'm wondering how long php sessions are stored in server memory.What if user logs in (sets session variables in server) and he keeps his browser open for a long time suppose 30 days and he reloads the page on the 31st day? Can browser access session variables(browser still has session cookie)?

Shyam3089
  • 459
  • 1
  • 5
  • 20
  • It is configurable. See http://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php – folkol Sep 23 '14 at 15:57
  • HTTP connections are not stateful. They open the connection, fetch some files and then close it. The server does not know what happens in those 30 days with the browser. – Daniel W. Sep 23 '14 at 15:57

3 Answers3

12

Default php.ini sets the session expiration time to 30 minutes.

Check out these settings: session.gc_maxlifetime and session.cookie_lifetime

As long as the browser have the cookie stored, it doesn't matter if it is closed or is open.

If you want to store the session for lets say 30 days, you can add:

ini_set('session.gc_maxlifetime', 30*24*60*60);
ini_set('session.cookie_lifetime', 30*24*60*60);
Stanimir Stoyanov
  • 1,623
  • 18
  • 29
  • Thank you for your answer.I have one more doubt that what if browser sends request with session cookie to acces session variables after 30 minutes?I'm confused. – Shyam3089 Sep 23 '14 at 16:14
  • 1
    @user3370495 Sessions are managed by the server. Thus, once the session expires, the server will no longer recognize the cookie, even if the user still has it. – Dave Chen Sep 23 '14 at 16:18
  • After the cookie_lifetime period (lets say 30 minutes) the cookie will be expired, and the browser will automatically delete it, meaning that the session data will be lost. Alternatively, when gc_maxlifetime expires, the garbage collector should erase the session information from the server. – Stanimir Stoyanov Sep 23 '14 at 16:20
  • 2
    @StanimirStoyanov Sorry but that's misleading. The server deletes the session data. The browser is simply deleting a link (an ID) to the data. Browsers that do not delete the cookie still cannot access session data because the server has deleted the data. – Dave Chen Sep 23 '14 at 16:30
  • You're right, Dave. Sorry if I didn't explained it correctly. – Stanimir Stoyanov Sep 23 '14 at 16:34
0

Normally you would code as part of your session handling code a function for expiring sessions after some time has elapsed, so in that case it would't matter how long they left there browser open

Josh Kirkpatrick
  • 179
  • 9
0

I think this depends on what you have set in php.ini http://php.net/manual/en/function.session-set-cookie-params.php

jbchurchill
  • 172
  • 2
  • 10