mplement a session timeout of your own.
Both options mentioned by others session.gc_maxlifetime
and session.cookie_lifetime are not reliable.
session.gc_maxlifetime
session.gc_maxlifetime specifies the number
of seconds after which data will be seen as
'garbage' and cleaned up. Garbage collection
occurs during session start.
But the garbage collector is only started with
a probability of session.gc_probability divided
by session.gc_divisor. And using the default
values for those options 1 and 100 respectively,
the chance is only at 1%.
Well, you could simply adjust these values
so that the garbage collector is started
more often. But when the garbage collector
is started, it will check the validity for
every registered session. And that is cost-intensive.
Furthermore, when using PHP's default
session.save_handler files, the session data
is stored in files in a path specified in
session.save_path. With that session handler,
the age of the session data is calculated on
the file's last modification date and not the
last access date
Both options mentioned by others session.gc_maxlifetime
and session.cookie_lifetime are not reliable.
session.gc_maxlifetime
session.gc_maxlifetime specifies the number
of seconds after which data will be seen as
'garbage' and cleaned up. Garbage collection
occurs during session start.
But the garbage collector is only started with
a probability of session.gc_probability divided
by session.gc_divisor. And using the default
values for those options 1 and 100 respectively,
the chance is only at 1%.
Well, you could simply adjust these values
so that the garbage collector is started
more often. But when the garbage collector
is started, it will check the validity for
every registered session. And that is cost-intensive.
Furthermore, when using PHP's default
session.save_handler files, the session data
is stored in files in a path specified in
session.save_path. With that session handler,
the age of the session data is calculated on
the file's last modification date and not the
last access date
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp Updating the session data with every request also changes the session file's modification date so that the session is not removed by the garbage collector prematurely.