Why gc_maxlifetime wins over sess_expiration?

Question

gc_maxlifetime is already set to 24 minutes, but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours). The app is expired based on gc_maxlifetime not sess_expiration. Why is that? How can the sess_expiration work if it is longer than gc_maxlifetime?

Check [official documentation and comments bellow](http://php.net/manual/en/session.configuration.php) how to set it. — Tpojka, Mar 29 '16 at 20:15

score 0 · Answer 1 · edited May 23 '17 at 12:15

Reading from here: why ini_set('session.gc_maxlifetime',60) doesn't work? and here: https://www.dev-metal.com/how-the-php-session-garbage-collector-really-works/

Because garbage collector starts (if starts) before session

I think that the gc_maxlifetime fires before your CI session handler and for this it 'wins'.

For not being forced to modify your php.ini file, you could try to set it before each session_start:

ini_set("session.cookie_lifetime","7200");
ini_set("session.gc_maxlifetime","7200");
session_start();

Or in your .htaccess file:

php_value session.gc_maxlifetime 7200
php_value session.cookie_lifetime 7200

You could read more here: Codeigniter increase session time out not working

Hope it helps!

GC is run after session initialization, and both of these INIs are overriden by CodeIgniter. — Narf, Mar 29 '16 at 21:21

score 0 · Answer 2 · answered Mar 29 '16 at 21:30

Not really as simple as you've put it ...

It is true that gc_maxlifetime is what determines if a session should be deleted or not, because that's effectively the "server-side timer" that counts towards the deletion of a session - there's one on the client side as well, because that's where cookies are stored.
However, CodeIgniter will set gc_maxlifetime to the same value that you put in sess_expiration, unless it is 0 (in which case it uses your php.ini value).

But something else in your question may be important:

but when each application has a different sess_expiration. One of them is set to 9000 seconds (2 1/2 hours)

If you are using the same sess_save_path, sess_cookie_name, sess_match_ip on the same server, but for multiple applications ... then the application with the lowest sess_expiration value will at some point delete sessions that you intended to be still valid for others.

TL;DR: Don't use the same session "space" for separate applications.

Why gc_maxlifetime wins over sess_expiration?

2 Answers2