Jump to content

Session length/timeout

webmaster1

By webmaster1
in PHP Coding Help

 Share

Recommended Posts

webmaster1 Advanced Member

webmaster1

Posted
Posted

I want to limit certain sessions to a certain length. I've found the following example:

 

ini_set('session.gc_maxlifetime',1800);
ini_set('session.gc_probability',1);
ini_set('session.gc_divisor',1);

 

Can anyone clear up the following?:

 

[1] Do I place this before or after the session start?

[2] Do I need the second and third lines?

[3] What happens when the maxlifetime is reached? Could the session be cancelled even if the user is in the middle of something?

 

Link to comment
https://forums.phpfreaks.com/topic/200409-session-lengthtimeout/
Share on other sites
Ken2k7 Member

Ken2k7

Posted
Posted

[1] Do I place this before or after the session start?

[2] Do I need the second and third lines?

[3] What happens when the maxlifetime is reached? Could the session be cancelled even if the user is in the middle of something?

1. Before.

2. Don't know. Do you? They are for garbage collecting. The second works in conjunction with the third one.

3. The session will be garbage and be cleaned. What does it mean for a session to be canceled?

foobarbaz Newbie

foobarbaz

Posted
Posted

maxlifetime specifies the number of seconds after which data will be seen as garbage and potentially cleaned up. Garbage collection may occur during session start depending on the next two values.

 

The probabilities are calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100. Having a 1/1 chance ensures it is collected, So I'm not sure why you have it there.

foobarbaz Newbie

foobarbaz

Posted
Posted

The second and third lines were just used in an example I found. I won't need them.

 

@Ken: By cancel, I mean destroy the session. Its just a basic security measure to log users out after 30 mins of idle activity.

 

If you're wanting for it to be destroyed then yes, The three lines will ensure a 1/1 chance after 30 minutes for the garbage collector to reclaim it.

 

It'd be useful to read the configuration you're touching first to know what they do:

http://www.php.net/manual/en/session.configuration.php

webmaster1 Advanced Member

webmaster1

Posted
  • Author
Posted

It'd be useful to read the configuration you're touching first to know what they do:

http://www.php.net/manual/en/session.configuration.php

 

Cheers. The explanations are useful.

 

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).

 

session.gc_divisor integer

session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.

 

session.gc_probability integer

session.gc_probability in conjunction with session.gc_divisor is used to manage probability that the gc (garbage collection) routine is started. Defaults to 1. See session.gc_divisor for details.

 

I don't exactly understand the probability calculation but so long as the three lines will destroy the session then I'm good.

 

Will these three lines apply to just the sessions started on the page or all sessions?

 

Does the 30 mins count down from the session start or the last activity for that session?

 

webmaster1 Advanced Member

webmaster1

Posted
  • Author
Posted

I came across this on stackoverflow:

 

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minates ago
    session_destroy();
    $_SESSION = array();
}

 

Apparently, session.gc_maxlifetime is not reliable for the following reasons:

 

But the garbage collector is only started with a probability of session.gc_probability devided by session.gc_divisor. And using the default values for that options (1 and 100), the chance is only at 1%.

 

Furthermore the age of the session data is calculated on the file’s last modification date and not the last access date.

 

So it additionally might occur that a session data file is deleted while the session itself is still considered as valid.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.