ansaurus

Question

How to have PHP session expire upon browser close OR some extended duration of time

Answer 1

+4 A:

The solution might be to set data via ini_set('session.gc_maxlifetime', <lifetime in seconds>); Of course if it's possible to change config via PHP. Otherwise you wil need to set proper values in your php.ini:

ini_set(‘session.gc_maxlifetime’,30);
ini_set(‘session.gc_probability’,1);
ini_set(‘session.gc_divisor’,1);

The other approach is setting validity of session cookie by:

$expire=24*60*60;
session_set_cookie_params($expire);
session_start();

Karol Janyst 2010-09-23 12:29:28

The garbage collector is the way to go, because when you fiddle with cookie lifetime the cookie won't disappear on browser close. Be sure to call `session_regenerate_id()` on unauthorised users, to prevent session-fixation.

Wrikken 2010-09-23 13:03:53

@Wrikken are you suggesting to call session_regenerate_id anytime I catch a user that is not-authorized ?

Chris 2010-09-23 14:05:37

@Karol Janyst using 1 for divisor and probability would ensure that we are always checking for garbage which would be cpu intensive right?

Chris 2010-09-23 14:07:04

@chris: you could do it based on a variable in the `$_SESSION` array: `session_start();if(!isset($_SESSION['id_generated_by_server'])){ session_regenerate_id(); $_SESSION['id_generated_by_server'] = true;}`

Wrikken 2010-09-23 14:13:07

It's not a good idea to depend on the garbage collector to do your timeouts for you. It only fires up on a *RANDOM* schedule. Best to put some timeout checking into your session handler itself, and force re-auth or something if the idle period exceeds the timeout.

Marc B 2010-09-23 17:16:49

ansaurus

tags:

views:

answers:

How to have PHP session expire upon browser close OR some extended duration of time

related questions