Extending Session Timeout in PHP via the .Htaccess

Extending session timeout in PHP via the .htaccess

You can't do that from the htaccess file but You can change this line in your php.ini file.

session.gc_maxlifetime = 1440

Update: it seems to be possible, so i stand corrected

php_value session.gc_maxlifetime 3600

I haven't tried this out though.

session timeout in php code and in htaccess?

I have resolved this issue by adding following code in my .htaccess file.

<IfModule mod_php5.c>
    #Session timeout
    php_value session.cookie_lifetime 1200
    php_value session.gc_maxlifetime 1200
</IfModule>

Thanks!

Declaring Session Max Life Time in htaccess

Yes, session.gc_maxlifetime is a PHP_INI_ALL setting so it can be overidden in .htaccess:

php_value session.gc_maxlifetime 2000

Also make sure that <Directory> entry in your Apache configuration supports override:

AllowOverride Options

It also may be possible that you misunderstood the purpose of this option. This option will not set the maximum life time of a session, it will set the amount of time after which the garbage collector will clean the session if it's not valid. This can be determined by a lot of factors, including access times, modification times, other INI options such as session.gc_probability and session.gc_divisor.

If you want to limit a session life time, use a proper mechanism for that, as described by @Gumbo in How do I expire a PHP session after 30 minutes.

PHP sessions default timeout

It depends on the server configuration or the relevant directives session.gc_maxlifetime in php.ini.

Typically the default is 24 minutes (1440 seconds), but your webhost may have altered the default to something else.

How to change the session timeout in PHP?

Session timeout is a notion that has to be implemented in code if you want strict guarantees; that's the only way you can be absolutely certain that no session ever will survive after X minutes of inactivity.

If relaxing this requirement a little is acceptable and you are fine with placing a lower bound instead of a strict limit to the duration, you can do so easily and without writing custom logic.

Convenience in relaxed environments: how and why

If your sessions are implemented with cookies (which they probably are), and if the clients are not malicious, you can set an upper bound on the session duration by tweaking certain parameters. If you are using PHP's default session handling with cookies, setting session.gc_maxlifetime along with session_set_cookie_params should work for you like this:

// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);

session_start(); // ready to go!

This works by configuring the server to keep session data around for at least one hour of inactivity and instructing your clients that they should "forget" their session id after the same time span. Both of these steps are required to achieve the expected result.

  • If you don't tell the clients to forget their session id after an hour (or if the clients are malicious and choose to ignore your instructions) they will keep using the same session id and its effective duration will be non-deterministic. That is because sessions whose lifetime has expired on the server side are not garbage-collected immediately but only whenever the session GC kicks in.

    GC is a potentially expensive process, so typically the probability is rather small or even zero (a website getting huge numbers of hits will probably forgo probabilistic GC entirely and schedule it to happen in the background every X minutes). In both cases (assuming non-cooperating clients) the lower bound for effective session lifetimes will be session.gc_maxlifetime, but the upper bound will be unpredictable.

  • If you don't set session.gc_maxlifetime to the same time span then the server might discard idle session data earlier than that; in this case, a client that still remembers their session id will present it but the server will find no data associated with that session, effectively behaving as if the session had just started.

Certainty in critical environments

You can make things completely controllable by using custom logic to also place an upper bound on session inactivity; together with the lower bound from above this results in a strict setting.

Do this by saving the upper bound together with the rest of the session data:

session_start(); // ready to go!

$now = time();
if (isset($_SESSION['discard_after']) && $now > $_SESSION['discard_after']) {
    // this session has worn out its welcome; kill it and start a brand new one
    session_unset();
    session_destroy();
    session_start();
}

// either new or old, it should live at most for another hour
$_SESSION['discard_after'] = $now + 3600;

Session id persistence

So far we have not been concerned at all with the exact values of each session id, only with the requirement that the data should exist as long as we need them to. Be aware that in the (unlikely) case that session ids matter to you, care must be taken to regenerate them with session_regenerate_id when required.

Increase max execution time for php

PHP file (for example, my_lengthy_script.php)

ini_set('max_execution_time', 300); //300 seconds = 5 minutes

.htaccess file

<IfModule mod_php5.c>
php_value max_execution_time 300
</IfModule>

More configuration options

<IfModule mod_php5.c>
php_value post_max_size 5M
php_value upload_max_filesize 5M
php_value memory_limit 128M
php_value max_execution_time 300
php_value max_input_time 300
php_value session.gc_maxlifetime 1200
</IfModule>

If wordpress, set this in the config.php file,

define('WP_MEMORY_LIMIT', '128M');

If drupal, sites/default/settings.php

ini_set('memory_limit', '128M');

If you are using other frameworks,

ini_set('memory_limit', '128M');

You can increase memory as gigabyte.

ini_set('memory_limit', '3G'); // 3 Gigabytes

259200 means:-

( 259200/(60x60 minutes) ) / 24 hours ===> 3 Days

More details on my blog

How to handle with a Session Problem in Production

If you use PHP's default session handling, the only way to reliably change the session duration in all platforms is to change php.ini. Check the settings with a phpinfo();

You can also set in your .htaccess file:

php_value session.gc_maxlifetime 64000
php_value session.cookie_lifetime 64000
php_value session.cache_expire 64000
php_value session.name yourdomain.com

If you use a framework like Laravel, CakePHP, Yii you can configure the session to be stored in the database, Redis, etc. and you have a better control.

Like RiggsFolly said in the comment, many shared hosting packages have limits. Hostgator for example: https://www.hostgator.com/help/article/php-settings-that-cannot-be-changed - but the session gc_maxlifetime can be changed from MultiPHP INI Editor, from the default 1440 sec (24 minutes) to a higher value.


Related Topics

Create a Insert... Select Statement in Laravel

In Htaccess, I'D Like to Replace Underscores with Hyphens and Then Redirect the User the New Url

Does PHP Support Conjunction and Disjunction Natively

Sqlite Database Hosted on Heroku Getting Automatically Reset

Check If Variable Starts with 'Http'

How Does PHP Index Associative Arrays

Regex PHP: Find Everything in Div

How to Recursively Obtain the "Parent Id" of Rows in This MySQL Table

PHP Passing Parameters via Url

Is a Blob Converted Using the Current/Default Charset in MySQL

Array Size Limit in PHP

Escaping Column Name with Pdo

How to Implement Exchange Rate in PHP

Getting Data from Post Array in Codeigniter

How to Sort a Multidimensional Array by Multiple Columns

No Database Selected - PHP & MySQL

Mongodb Get _Id as String in Find Query

Phpseclib - How to Connect Using Username, Key and Password (Not a Key Passphrase)


Leave a reply



Submit