[PHP] Session Timeout

[Tom Rogers]

Hi,

Saturday, August 30, 2003, 1:55:02 PM, you wrote:
SW> From what I see, the default timeout for a session is 1440 seconds or
SW> 24 minutes. I was gone for nearly an hour, came back, and the session
SW> was still valid. Must the value set in the config file be different
SW> than 1440, or am I misunderstanding session.gc_maxlifetime? I'd like
SW> for the user to be required to log in if they've been inactive for 10
SW> minutes, or if they closed the browser window and opened another one.


SW> Sorry for all the basic questions :)


SW> Seth Willits
SW> ------------------------------------------------------------------------
SW> ---
SW> President and Head Developer of Freak Software - [url]http://www.freaksw.com[/url]
SW> Q&A Columnist for REALbasic Developer Magazine -
SW> [url]http://www.rbdeveloper.com[/url]
SW> Webmaster for REALbasic Game Central - [url]http://www.freaksw.com/rbgames[/url]

SW> "Not everything that can be counted counts, and not everything that
SW> counts
SW> can be counted."
SW> -- Albert Einstein
SW> ------------------------------------------------------------------------
SW> ---


The session timeout just sets the maximum time before the session data
becomes valid for a garbage collect. If a garbage collect is not
triggered the data is still valid as far as php is concerned. You have
to implement your own timeout checks if you need exactly 24 minutes.
You can do this by storeing the last accessed time in the $_SESSION
array and check it on each start.
I think by default garbage is collected 1 in every 100 hits. (1%)
If it done on every hit it would start to impact performance on busy
sites.

--
regards,
Tom

[Curt Zirzow]

* Thus wrote Seth Willits (seth@freaksw.com):

> From what I see, the default timeout for a session is 1440 seconds or
> 24 minutes. I was gone for nearly an hour, came back, and the session
> was still valid. Must the value set in the config file be different
> than 1440, or am I misunderstanding session.gc_maxlifetime? I'd like
> for the user to be required to log in if they've been inactive for 10
> minutes, or if they closed the browser window and opened another one.

The issue with the session still being around when your browser
closed then reopened has to with the ini setting:

session.cookie_lifetime

You want it to be 0, for it to expire as soon as the browser closes.

You might want to manage your lifetime of the session yourself,
like Tom Rogers suggested. This will also avoid issues with clock
settings on the client's computer. So a set up with something like
this:

php.ini:
session.cookie_lifetime = 0

file.php:
$lifetime = (60 * 10); // 10 minutes lifetime
session_start();
if (! empty($_SESSION['last_access'] &&
$_SESSION['last_access'] >= (time() + $lifetime) ) {

// Session has expired
$_SESSION = array(); // kill session

} else {
$_SESSION['last_access'] = time();
}

-OR-

if you're not worried about the client's clock being fast or slow:

php.ini:
session.cookie_lifetime = 10;

Curt
--
"I used to think I was indecisive, but now I'm not so sure."