determining session timeout length

[jeff5656]

When a user logs on, I authenticate them with a session.  How do I use php to determine the time until the session will expire?  I realize I could go into the ini file but is there a php code that can query this info and echo it back?

[kicken]

You can change fiddle with the ini settings using ini_set/ini_get.  If you want more refined control over the timeout period though you should implement it yourself.

 

On each page load, compare the current time to their last activity time (also set on each page load in the session).  If the difference between the two is greater than your time limit, invalidate the session.

 

if (isset($_SESSION['last_activity'])){
   $diff = time()-$_SESSION['last_activity'];
   if ($diff > 300){
      $_SESSION=array();
   }
}

$_SESSION['last_activity'] = time();

 

[jeff5656]

But how do I determine what the default session length is for any user who is logged in?

[kicken]

the value of session.gc_maxlifetime would be a rough estimate, but reality will differ.  PHP doesn't actively timeout sessions.  On each call to session_start there is a chance for it to run a session clean up routine.  this routine will check all the session save files and if the time between now and the files last access time is greater than the lifetime it deletes the file, essentially killing the session.  If your site does not get much traffic this routine won't get many chances to run so a session could stick around for a lot longer, days maybe even.

 

That is why if you want any sort of stability or control over a timeout you have to implement it yourself.

 

[jeff5656]

Ok thanks.  In the meantime I found this in the ini file:

 

session.gc_maxlifetime = 1440

 

Does 1440 refer to the number of seconds before a session times out?  Because that would be 24 minutes...

 

Also, in terms of setting $_SESSION['last_activity'], if the user sits idle for more than the  = 1440, wouldn't the session expire and make all your session variables null?  So that  $_SESSION['last_activity'] value would be irrelevant?

[scootstah]

Yes, it is in seconds.

 

EDIT: By the way, it is not too difficult to expand PHP sessions to implement some of your own features, such as a consistent timeout. You can do this with the session_set_save_handler.

[jeff5656]

i posted before i saw your reply.  see above

[PFMaBiSmAd]

Are you seeing session data disappearing in less than 24 minutes of inactivity? Are you on a shared web host?

[jeff5656]

No I guess 24 minutes sounds right - I never really timesd it. I'm on a dedicated server.

Question: if I am on a form and wait for 25 minutes before hitting submit, when I go to the action.php page and use your code up at top, will there still be a value associated with $_SESSION['last_activity'] or do all session variables get wiped out if the maximum session time has expired (1440 secs)?

 

 

[kicken]

Also, in terms of setting $_SESSION['last_activity'], if the user sits idle for more than the  = 1440, wouldn't the session expire and make all your session variables null?  So that  $_SESSION['last_activity'] value would be irrelevant?

 

Like I said, it all depends on when the GC routine gets run.  On my dev laptop for instance, where I am the only one ever hitting pages my session will remain active indefinitely.  I've worked on stuff, gone away for a day, come back and my session is still going strong.  Reason being that the GC routine is rarely ever run with only one person.

 

That 1440 seconds is how long a session has to be inactive for before php will kill it, but PHP will only kill it if the GC routine is run.  It won't end it the second it passes that mark.  For an active site such as these forums, chances are the GC routine would get run fairly regularly.  For a not so active site, it will be run fairly little.

 

I believe by default it is configured so that it only has about a 1% chance of being run on each call to session_start.  You could of course change these settings to make it run more or less often if desired.  The manual page I linked above has all the details on the settings and what they do.