[SOLVED] Session expiration question

[phpknight]

Let's say you set a session to expire in 20 minutes.  Does reading and/or writing a session value bump that time up each time, or does it expire 20 minutes from when it was first created?  I am pretty sure it is the former, but I want to check to make sure.

[Orio]

Yeah you are right, only after 20 mins of no activity it expires.

 

Orio.

[phpknight]

Okay, thanks.  Here is another one.  I logged in, and left the computer for 8 hours.  Then, I clicked reload.  It should have automatically deleted the session after about 1 hour based on my ini file, but it did not.  Does that have to do with the cookie still being there?

[Orio]

It probably did delete your session info... Did you have the same session id?

What is this script anyways? A members-login thing?

 

Orio.

[phpknight]

It did have the same session_id.  I know because I email myself the session every time using var_export since it is still in development and there are no users yet besides test people.

 

It is a login thing, but it is part of a huge project, so it is completely custom.  Right now, I just got registration, email confirmation, login, and logout done.  I just wanted to check to make sure the session was expiring after 60 minutes as part of the session management.  Since I was stuck on something else, I thought I would just go away and see if that was working.  Honestly, I was expecting it to, so I was a bit surprised when it did not work.

[Orio]

Try reducing the time to 1-2 mins and see it does work. You probably accessed the site in the middle or I don't know what. There's no reason for it not to expire.

 

Orio.

[keeB]

There's different levels of sessions, your browser probably held on to the data.

 

Try reducing it to 2 mins, and close the browser.

[phpknight]

Orio, I definitely did not access it in the middle because I was sleeping, lol. 

 

keeB, what do you mean by different session levels?  I thought the session data was on the server.  Wouldn't it be very dangerous to have the data and not just the id in the browser?

 

I have been working on this.  I deleted the cookies to get a fresh start and set the max.gc_lifetime to 10 seconds.

 

Here is the behavior I am getting.  Closing the browser works.  BUT reloading the open page after 15 seconds keeps the same id.  What I want is for that session to be expired and redirect to the login page.

 

Here is my theory: Since garbage collection only occurs 1% of the time, if I am just testing this site with no users expect me, I obviously am not getting many page views.  So, I could set the session to expire in 10 seconds, but if I do not get page views, garbage collection will not run, and the session will not be deleted.  If I simulated 1000 page views, though, then the session id should most likely get collected as garbage.  Does that make sense? 

 

I am just guessing that closing the browser itself somehow invalidates the session even without garbage collection.  Is that a possiblity?

 

 

[phpknight]

Update.  I found this post from hitman6003.  There was a bit of an argument, but I think he is right on this.

http://www.phpfreaks.com/forums/index.php/topic,154434.0.html

 

The browser destroys the session cookie when it closes if gc.max_lifetime is set to 0.  So, my last question. 

 

Please comment on the theory about garbage collection, though.  I'll probably test it later today.

[phpknight]

My garbage collection theory proved to be exactly the problem.  By setting garbage collection to 99%, it worked perfectly!