phpsession

Does session.gc-maxlifetime restart if Session_Start() is called again? or is it calculated from the first time session is created?

According to the docs:

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor). Defaults to 1440 (24 minutes).

but is this period of seconds calculated from the first time Session_Start() is called? or does the time restart after Session_start() is called again, or after some sort of interaction with $_SESSION is made?

If it is calculated from the first time session is created, is there a way to restart this so that users don't face errors from trying to interact with session variables that have been reset to null?

Solution

  • The answer is : the session lifetime's end-time will be "re-calculated" when the start_session() is called again.

    Note: session.gc_maxlifetime specifies the maximum lifetime of session (gc stands for garbage collection)

    It is because the garbage collection process is designed to abandon "inactive" sessions , which is obviously one of the measures of security.

    For example, if you set the following in your php.ini and then restart the httpd , the system will 100% perform garbage collection (session.gc_probability/session.gc_divisor =1) whenever the time reaches the lifetime timeout which is 60 seconds

    session.gc_maxlifetime=60
session.gc_probability = 1000
session.gc_divisor = 1000

    Now, if you run , on your browser this php (session1.php):

    <?php session_start();

$_SESSION["var1"]="Stack Overflow";

    if you then , wait after 60 seconds, and run the following (session2.php), you will notice that the system echos nothing , because $_SESSION["var1"] is destroyed due to garbage collection

    <?php session_start();

echo $_SESSION["var1"];

    However, if you run session1.php and then wait for 59 seconds and immediately run session2.php, you will notice that echo $_SESSION["var1"]; will display the word "Stack Overflow", and if you wait for another 59 seconds and run session2.php again, it will display the word "Stack Overflow" again .... until one time you run the session2.php AFTER 60 seconds, then the session is gone

    Note: If you really did the above test, remember to set back the gc_probability, gc_divisor and gc_maxlifetime to the default values after you have done the test, otherwise I believe 60 seconds are too short for the session life time under normal circumstances