Best way for setting PHP session timeout?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I found this code for setting the PHP session timeout ... #

which essentially relies on setting a variable in the $_SESSION for
the time and then comparing the time to that value on each subsequent
page access.  But what other factors are there to consider?  Does
someone know a more foolproof way of setting the session timeout?

Thanks, - Dave

Re: Best way for setting PHP session timeout? escribió:
Quoted text here. Click to load it

Just a remark. Using $_SESSION['timeout'] can help to *shorten* session
life, which I understand is your requirement. So far so good.

However, *extending* session life is tricky. By default, sessions are
shared between all sites in the host and as soon as *any* site triggers
garbage collection, *all* session data older than X is gone; including,
of course, your $_SESSION['timeout']. If you need to have longer
sessions (or, simply, be in full control of your session data) you need
to change the appropriate PHP settings (which can be done via PHP code),
esp. the temporary directory: you need your own private temporary dir so
nobody else can erase your session data. PHP does not really track who
owns sessions.

-- - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web:
-- Mi web de humor satinado:

Re: Best way for setting PHP session timeout?

Hash: SHA512

on Mié 11 Nov 2009 18:56, wrote:

Quoted text here. Click to load it

  No, you can use ini_set() to setup your own session timeout:

/* Lifetime in seconds of cookie or, if 0,
   until browser is restarted. */
ini_set("session.cookie_lifetime", "1800");

  This will ensure that the session file or entry is removed
after the timeout.

  Another way is to setup the same value at your virtual host
entry in Apache:

<IfModule mod_php5.c>
    php_value "session.cookie_lifetime" "1800"

  If you do not have those methods available, the try your
$_SESSION['timeout'] method, but this one do not removes the
entry from the session storage.

Quoted text here. Click to load it

Best regards,
- --
| Daniel Molina Wegener == dmw [at] coder [dot] cl |
|   IT Consulting & Freelance Software Developer   |
|      |
Version: GnuPG v1.4.9 (GNU/Linux)


Re: Best way for setting PHP session timeout?

Quoted text here. Click to load it
I don't think it does. ISTR that it just tells php that it can remove
the file next time it does a cleanup.

Re: Best way for setting PHP session timeout?

Quoted text here. Click to load it

Utter nonsense.

No it won't. This is a polite request to the browser to clean up the
cookie some time after the TTL has expired. This has no effect on when
the session data stored on the server is considered stale, nor when it
is deleted.

Quoted text here. Click to load it


Session data will exist in the session storage substrate until it is
explicitly deleted by the garbage collector, however the session
handler MUST check that session.gc_maxlifetime has not expired before
returning the stored data to the script. If it has expired, it MUST
reinitialize the substrate data (to null) and return an empty session
to the calling script.

You set the session timeout by specifying a value for

The difference between using 0 and a non-zero value for
session.cookie_lifetime is that a value of 0 causes the cookie to be
deleted when the browser is closed. Using a non-zero value will mean
that (with a few exceptions) the cookie will be available provided the
browser is opened again before the TTL has expired. If you set a non-
zero value of session.cookie_lifetime which is less than
session.gc_maxlifetime, then the cookie will be deleted before the
session is no longer available at the server. No big deal. If the
session.cookie_lifetime is greater than session.gc_maxlifetime, then
you may get a session cookie presented where the session is either
stale or deleted. No big deal. This scenario can also arise with
cookie TTL of 0.

If you are using a non-standard session handler, then by all means
check it does what its supposed to do.


Site Timeline