How Long Will My Session Last

How long will my session last?

In general you can say session.gc_maxlifetime specifies the maximum lifetime since the last change of your session data (not the last time session_start was called!). But PHP’s session handling is a little bit more complicated.

Because the session data is removed by a garbage collector that is only called by session_start with a probability of session.gc_probability devided by session.gc_divisor. The default values are 1 and 100, so the garbage collector is only started in only 1% of all session_start calls. That means even if the the session is already timed out in theory (the session data had been changed more than session.gc_maxlifetime seconds ago), the session data can be used longer than that.

Because of that fact I recommend you to implement your own session timeout mechanism. See my answer to How do I expire a PHP session after 30 minutes? for more details.

For how long does a session last by default?

As long as the declared value of session-timeout in web.xml states. If there is no value specified there, the container decides this setting.

How long will a session variable last if you don't unset it?

By default it will be there 24 minutes. (Which is the default php.ini file setting).

As you commented, this is the setting: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

$_SESSION - how long will it keep around?

session.cookie_lifetime influences the expires parameter of the cookie that session_start() sets. It's like setcookie(<sessionname>, <sessionid>, time()+<session.cookie_lifetime>, ...). It advises the client not to use that cookie after time()+<session.cookie_lifetime> (but it can of course remove it earlier, not accept it at all or ignore the "expires" parameter altogether).

The session id is used to select the "right" session data. I.e. if a request does not contain the correct session id the session data is not available to the php script.

If only that single client knows the session id (as it should be) and throws away the cookie that contains the session id the session data is unreachable. Unreachable but still present on the server.

When a script invokes session_start() there is a chance that the garbage collection is started, see session.gc_probability and session.gc_divisor.

Then the flat-file session handler loops through all files in the directory specified by session.save_path and checks the "last modified time" (mtime). If that timestamp is older than now-session.gc_maxlifetime the file is removed (unless this file corresponds to the current session id, in which case it doesn't matter how old the file is).

That takes some time and is therefore not performed on each call to session_start().

I.e. there can be session files on the server that are older than both session.cookie_lifetime and session.gc_maxlifetime.

session.cookie_lifetime signals the client that there is no need to store the cookie/id after x seconds.

session.gc_maxlifetime signals the session mechanism that there is no need to keep the data after x seconds.

But as long as the data remains on the server it can be accessed if the respective session-id is sent.

How long php sessions are stored in server?

Default php.ini sets the session expiration time to 30 minutes.

Check out these settings: session.gc_maxlifetime and session.cookie_lifetime

As long as the browser have the cookie stored, it doesn't matter if it is closed or is open.

If you want to store the session for lets say 30 days, you can add:

ini_set('session.gc_maxlifetime', 30*24*60*60);
ini_set('session.cookie_lifetime', 30*24*60*60);

How do I expire a PHP session after 30 minutes?

You should implement a session timeout of your own. Both options mentioned by others (session.gc_maxlifetime and session.cookie_lifetime) are not reliable. I'll explain the reasons for that.

First:

session.gc_maxlifetime

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up. Garbage collection occurs during session start.

But the garbage collector is only started with a probability of session.gc_probability divided by session.gc_divisor. And using the default values for those options (1 and 100 respectively), the chance is only at 1%.

Well, you could simply adjust these values so that the garbage collector is started more often. But when the garbage collector is started, it will check the validity for every registered session. And that is cost-intensive.

Furthermore, when using PHP's default session.save_handler files, the session data is stored in files in a path specified in session.save_path. With that session handler, the age of the session data is calculated on the file's last modification date and not the last access date:

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other filesystem where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won't have problems with filesystems where atime tracking is not available.

So it additionally might occur that a session data file is deleted while the session itself is still considered as valid because the session data was not updated recently.

And second:

session.cookie_lifetime

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. […]

Yes, that's right. This only affects the cookie lifetime and the session itself may still be valid. But it's the server's task to invalidate a session, not the client. So this doesn't help anything. In fact, having session.cookie_lifetime set to 0 would make the session’s cookie a real session cookie that is only valid until the browser is closed.

Conclusion / best solution:

The best solution is to implement a session timeout of your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

Updating the session data with every request also changes the session file's modification date so that the session is not removed by the garbage collector prematurely.

You can also use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
    $_SESSION['CREATED'] = time();  // update creation time
}

Notes:

• session.gc_maxlifetime should be at least equal to the lifetime of this custom expiration handler (1800 in this example);
• if you want to expire the session after 30 minutes of activity instead of after 30 minutes since start, you'll also need to use setcookie with an expire of time()+60*30 to keep the session cookie active.

Session timeout after 1 day

Try this Code.

 $inactive = 60*60*24;if( !isset($_SESSION['timeout']) )$_SESSION['timeout'] = time() + $inactive; 
$session_life = time() - $_SESSION['timeout'];
if($session_life > $inactive){  session_destroy(); header("Location:index.php");     }
$_SESSION['timeout']=time();