2

I have a form with multiple pages. I use the $_SESSION array to store the user input. Each page starts with

session_start();

Sometimes the $_SESSION variables are lost. I guess this is happens if the user remains for a too long period afk and the Garbage Collector removes then the variables.

If I understand it correctly, then the function session_status() only checks if a session has been started, and not if the garbage collector has removed recently any entries.

If the garbage collector becomes active, does he delete all entries of the $_SESSION array or just some of them? In other words, could I check if my Session expired by simply doing the following:

session_start();
if(empty($_SESSION)){
   // Garbage Collecter removed entries because user was too long afk
}
Community
  • 1
  • 1
Adam
  • 25,960
  • 22
  • 158
  • 247
  • It doesn't delete some entries. Either it's all there or not. – Sergiu Paraschiv Mar 27 '17 at 09:41
  • @SergiuParaschiv so if I calll `session_start` after the Garbage Collector removed the SESSION, then the `$_SESSION` array is empty? – Adam Mar 27 '17 at 09:45
  • The "garbage collector" runs synchronously when you run `session_start`, you'll never see partially removed data. GC drops all the session data or nothing. – Sergiu Paraschiv Mar 27 '17 at 10:01

1 Answers1

3

The overall mechanism is not as sophisticated as you probably think.

Sessions can have several storage back-ends, the default of which is the builtin file handler, that merely creates, well, files:

Files in Windows Explorer

The only way to link a given file with a given session is the session ID which, as you can see, is part of the file name.

Garbage collection is a file removal based on last modification time. Once it happens, files are gone forever. There's just no trace or record that the file ever existed.

In general, you don't need to worry about this case. Just make sure you define a lifetime that's long enough for your application. The default value in many systems often ranges from 20 to 30 minutes, which is fairly small. Also, make sure your app has its own session directory, so other apps with a shorter lifetime won't remove your files:

session_save_path('/home/foo/app/sessions');
ini_set('session.gc_maxlifetime', 86400); // 1 day (in seconds)

P.S. Some Linux systems disable PHP garbage collection and replace it with a custom cron script, what prevents custom locations from being cleaned up. For that reason I normally set these other directives just in case:

// Restore the default values
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
Álvaro González
  • 142,137
  • 41
  • 261
  • 360
  • Although I wasn't actually interested in the question, your answer did teach me something interesting. Just one suggestion: since you used `gc_probability` and `gc_divisor` in your example, maybe you could explain them with a short comment as well? – domsson Mar 27 '17 at 10:27
  • 1
    @domdom you should read http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes/1270960#1270960 – Adam Mar 27 '17 at 10:35
  • 1
    @domdom Sure, there it is. – Álvaro González Mar 27 '17 at 10:43