3

I am trying to set gc_maxlifetime in PHP.

Here is the code in 'header.php', and I include it every page.

ini_set('session.cookie_lifetime', 1);
ini_set('session.gc_maxlifetime', 1);
session_start();

I test it with 

echo ini_get('session.gc_maxlifetime');

and it does set to 1.

But it still keep login status, that is, session has not been deleted.

What is the possible reason?

andytt
  • 83
  • 1
  • 2
  • 8
  • I'd start by [reading the fine manual](http://php.net/manual/session.configuration.php#ini.session.gc-maxlifetime) - *"specifies the number of seconds after which data will be seen as 'garbage' and **potentially** cleaned up"* – Phil Mar 19 '14 at 04:41
  • What problem are you trying to solve by setting 'gc_maxlifetime'? – Ryan Vincent Mar 19 '14 at 04:51
  • @Phil I have read the manual and googling for hours, but I still can't solve the problem. – andytt Mar 19 '14 at 05:34
  • @RyanVincent My problem is that I login and wait after 10 seconds, I refresh the page, the session still there! I didn't logout as expected. – andytt Mar 19 '14 at 05:35
  • @RyanVincent I am trying to set 'gc_maxlifetime' to keep login status, but I have found out that Session did not clean after specific time (1s as example). – andytt Mar 19 '14 at 05:47
  • I do not know your code, but when you login a $_SESSION variable is set true. This is tested later to check you are authorised.. When you logout then the $_SESSION variable needs to cleared or the 'session_destroyed'. There is a tutorial about this here: http://www.adampatterson.ca/blog/2010/09/php-user-login-with-sessions. – Ryan Vincent Mar 19 '14 at 05:48
  • @RyanVincent How to clean session if user is idle for 10 seconds? – andytt Mar 19 '14 at 06:49
  • Store last access time in session, check last access time at every page load, if it is >10 seconds `session_destroy()` – hank Mar 19 '14 at 06:54
  • @hank Thanks for replying, why 'gc_maxlifetime' didn't work if I set to 10? – andytt Mar 19 '14 at 07:07

1 Answers1

6

Why doesn't Garbage Collection run?

GC does not always run on every request, default PHP settings is that it is 1% chance to run GC. session.gc_probability (default 1) / session.gc_divisor (default 100) = 0.01 (1% chance)

Relevant manual entry: http://php.net/manual/en/session.configuration.php#ini.session.gc-probability

My suggestion is to store last time a session was touched and check against that value on every page load and if enough time has passed, session_destroy and redirect user to login page.

hank
  • 3,748
  • 1
  • 24
  • 37
  • There is another problem, what if I want to set time to 1HR? The default `gc_maxlifetime` is 24 minute. Should I just `ini_set` `gc_maxlifetime`? – andytt Mar 19 '14 at 07:34
  • DO NOT ABUSE GC_MAXLIFETIME. Read my suggestion instead. – hank Mar 19 '14 at 08:11
  • If not set `gc_maxlifetime`, after 24 minute (default) the user's session would expire. Then where should I store the `last time`? – andytt Mar 19 '14 at 08:28
  • Is it really necessary to do a check for session expiry inside the application? It sounds like this is something the session module should be taking care of. It's not clear in the PHP docs why an expired session (which hasn't been cleaned up by the gc) still manages to get used. – Phil Oct 02 '16 at 21:46