0

I have read several articles on this topic but still don't fully understand the relationship between the client-side session cookie, the server-side session file, and the way PHP "randomly" chooses to remove or keep a session during garbage collection.

The behavior I am trying to ensure is:

  • a user logs in, and the session begins
  • if the user is inactive* for a period of 1 hour, the session is destroyed

*this is critical for my site because the user may be spending an hour apparently "idle" on the same page, but in fact they are not idle. They may be composing a long written report, watching a video, etc.

What I'm using so far is:

session_start();
setcookie(session_name(),session_id(),time()+3600);

This code is executed on every page load.

I also have an AJAX request firing every minute via a setInterval, which loads a PHP script containing the above code on pages where the user is apparently "idle".

Will my approach ensure the behavior I require? Or am I missing something? Perhaps there is a cleaner way to ensure this behavior.

Many thanks in advance.

praine
  • 405
  • 1
  • 3
  • 14
  • 2
    Possible duplicate of [How to change the session timeout in PHP?](https://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php) – M. Eriksson Jun 27 '17 at 08:27
  • This has a good explanation of session garbage collection : https://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes/1270960#1270960 – CD001 Jun 27 '17 at 08:29

2 Answers2

1

you could try something like this:

if (isset($_SESSION['LAST_ACTIVITY'])&&(time() - $_SESSION['LAST_ACTIVITY'] > 3600)) {
    // this takes 60 minutes
    session_unset();   
    session_destroy();   // destroy session data that is in storage
}
unknowncoder
  • 43
  • 1
  • 1
  • 6
1

I ... still don't fully understand the relationship between the client-side session cookie, the server-side session file, and the way PHP "randomly" chooses to remove or keep a session during garbage collection.

The client-side cookie does not hold any info about the user. It's only a token, which is sent to the server with any other info with every new request. The expiration limit you are setting indicates how long the client-side cookie is valid.

Server-side session files and garbage collection is something else. In php.ini you may set session.gc_maxlifetime, defaulting to 1440, which indicates "the number of seconds after which data will be seen as 'garbage' and potentially cleaned up". And then there is session.gc_probability (defaulting to 1) and session.gc_divisor (defaulting to 100).

This means, that after 1440 seconds there is a 1/100 the garbage collector will start, cleaning the session, which now is considered garbage.

If you wish to remove the session after an hour with a 100% probability, set session.gc_probability to 0 and remove the old sessions manually. For this, you could save "last activity" in your database and cron a script, which removes sessions, which have "last activity" and time() difference larger, than 1 hour.

Kevin Kopf
  • 13,327
  • 14
  • 49
  • 66