Symfony2 Session Idle Time

[shaunie]

Hi,

 

I understand I can use gc_maxlifetime to kill any sessions and logout a user if they have left the browser idle. How do I set this so it can be configured via config.yml?

[shaunie]

I have set the parameters in config.yml as this but it's not logging me out after 10 seconds...

 

framework:

    session:

        cookie_lifetime: 10

        gc_maxlifetime: 10

        gc_probability: 1

        gc_divisor: 1

[sKunKbad]

GC doesn't always run, that's why there is a probability. Try setting probability higher. I think you are playing with the wrong setting though. I don't use symfony, but you should probably be setting a session expire time, not the GC.

[gizmola]

This is a common misconception that people have about sessions. "Login" is an application concept. Sessions are simply per-connection server-side storage. An anonymous user hitting your server will create a session in most cases.

 

By default sessions are stored as files on your file server. You can look at the manual page to see how the garbage collection works, but as skunkbad stated, without a quorum of users hitting your site, the probability calculation won't be triggered, and garbage collection will not cleanup the session files.

 

Regardless of this fact, your application would be better served if you set an application expire time in your session, and utilized that to determine that someone should be logged out.

 

With that said, one fairly easy way of doing what you're trying to do, would be to change the storage of your sessions from the default to a cache system like memcache, where you can control the expiration of the storage separately at creation time. I don't advise that you do that until you better understand session mechanics, however, memcache is certainly a high performance/scalability step, should your deployment ever get to the point that you require multiple servers behind a load balancer.

 

I would still recommend that you handle "login" in your application code. Also, to be clear, these calculations can only be determined when requests are made. An idle browser will not show that the client is "logged out" if no requests are made to the server.