How Long Do PHP Sessions Actually Last?

How Long Does a Session Last? Unveiling the Data

Determining the duration of a session from the provided data can be a bit challenging. Let's delve into the details to find the answer.

Session GC and Probability

In PHP, sessions are managed by a garbage collector (GC). The session.gc_maxlifetime parameter specifies the maximum amount of time since the last change in session data before it's marked for removal. However, there's a twist: the GC isn't called every time session_start is invoked.

The session.gc_probability and session.gc_divisor parameters determine the probability that the GC will be triggered during a session_start call. By default, these values are 1 and 100, respectively, meaning that the GC runs in only about 1% of such calls.

Implications for Session Lifetime

The fact that the GC isn't always invoked means that, even if a session's lifetime has technically expired (i.e., the session data was changed over session.gc_maxlifetime seconds ago), it can still be used for a longer period.

Recommendation

Due to this behavior, it's generally advisable to implement your own session timeout mechanism rather than relying solely on PHP's GC. This can help ensure that sessions are terminated within a predetermined period of time.

The above is the detailed content of How Long Do PHP Sessions Actually Last?. For more information, please follow other related articles on the PHP Chinese website!