9

I see there are thousands of files in my "/tmp" directory (a CentOS machine) and almost all of them are PHP session files.
I'm worried about the possible impact this might have on my system.
Are those files ever deleted either by the OS, Apache or PHP? or I have to take care of it myself?

GetFree
  • 1,500
  • 7
  • 23
  • 37
  • 1
    If this is an application you have developed, then have you considered using database based sessions instead? – Zoredache May 04 '10 at 06:59
  • 1
    @Zoredache, For that I would need to write a session handler which uses mysql. Plus, that would put extra loading on the DB which is already very loaded. I dont know if the impact on performance would be good. – GetFree May 04 '10 at 15:16
  • do you see old files? – Karoly Horvath Jul 19 '12 at 11:01
  • @GetFree well, you wouldn't need to *write* one. There are existing session handlers for memcached, mysql, redis, postgres, msession, and many more. – kojiro Sep 27 '13 at 18:08

4 Answers4

9

They should be deleted by the PHP garbage collector. The frequency is controlled by the session.gc_maxlifetime setting in php.ini. Possibly if this is not kicking in you have other problems.

Community
  • 1
Jon Rhoades
  • 4,987
  • 3
  • 31
  • 48
  • 1
    But garbage collection exits from PHP 5.3 on. What about older versions? – GetFree May 04 '10 at 00:58
  • 1
    If your question is specific to a particular version of PHP, then you need to state this in your question. – dunxd Oct 24 '11 at 10:21
  • 5
    "garbage collection" is used in different ways for different things. The session garbage collection exists since PHP 4.0 (which introduced the session module). What's new in 5.3 is the memory garbage collection for cleaning up cyclic references of PHP variables where the reference counting mechanism keeps them alive till request end. http://php.net/gc vs. http://php.net/session.gc-probability – johannes Oct 24 '11 at 11:26
7

On default Debian and Ubuntu, the sessions are cleaned up by cron /etc/cron.d/php5

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete

where /usr/lib/php5/maxlifetime gives lifetime in minutes as set in session.gc_maxlifetime.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
Tim Hecktor
  • 71
  • 1
  • 1
  • In Ubuntu 20 the sessions are cleaned up by calling script `/usr/lib/php/sessionclean` in cron `/etc/cron.d/php5` – AndreyP May 15 '21 at 12:34
2

Also at reboot - as /tmp is always cleared out on reboot.

thinice
  • 4,716
  • 21
  • 38
1

You could setup a cron script to clean them up automatically. It's generally a good idea to test for creation date older than what the life of cookies is set up to be on your system.

Limiting cookie life is done thusly (must be done before script outputs anything):

<?php
session_name('my_site_name');
session_set_cookie_params(1209600); # max cookie age of 14 days
# send cookie headers
session_start();
?>

Then, in your cleanup script:

#!/bin/sh
find /tmp -maxdepth 1 -type f -name 'php_session_file_prefix*' -ctime +15 -exec rm -f {} \;

Then, in your crontab:

# Run daily cron jobs at 03:40 every day
40 3 * * * /path/to/php-session-cleanup.sh
zerodahero
  • 105
  • 4
amphetamachine
  • 852
  • 1
  • 8
  • 14