How to change the session timeout in PHP

Question

I would like to extend the session timeout in php  I know that it is possible to do so by modifying the php ini file  But I don t have access to it   So is it possible to do it only with php code

User · Answer

If you use PHP s default session handling  the only way to reliably change the session duration in all platforms is to change php ini  That s because in some platforms  garbage collection is implemented through a script that runs every certain time  a cron script  that reads directly from php ini  and therefore any attempts at changing it at run time  e g  via ini set    are unreliable and most likely won t work   For example  in Debian Linux systems  PHP s internal garbage collection is disabled by setting session gc probability 0 by default in the configuration  and is instead done via  etc cron d php  which runs at XX 09 and XX 39  that is  every half hour   This cron job looks for sessions older than the session gc maxlifetime specified in the configuration  and if any are found  they are deleted  As a consequence  in these systems ini set  session gc maxlifetime        is ignored  That also explains why in this question  PHP sessions timing out too quickly  the OP had problems in one host but the problems ceased when switching to a different host   So  given that you don t have access to php ini  if you want to do it portably  using the default session handling is not an option  Apparently  extending the cookie lifetime was enough for your host  but if you want a solution that works reliably even if you switch hosts  you have to use a different alternative   Available alternative methods include    Set a different session  save  handler in PHP to save your sessions in a different directory or in a database  as specified in PHP  Custom Session Handlers  PHP manual   so that the cron job doesn t reach it  and only PHP s internal garbage collection takes place  This option probably can make use of ini set   to set session gc maxlifetime but I prefer to just ignore the maxlifetime parameter in my gc   callback and determine maximum lifetime on my own  Completely forget about PHP internal session handling and implement your own session management  This method has two main disadvantages  you will need your own global session variables  so you lose the advantage of the   SESSION superglobal  and it needs more code thus there are more opportunities for bugs and security flaws  Most importantly  the session identifier should be generated out of cryptographically secure random or pseudorandom numbers to avoid session ID predictability  leading to possible session hijacking   and that is not so easy to do with PHP portably  The main advantage is that it will work consistently in all platforms and you have full control over the code  That s the approach taken e g  by the phpBB forum software  at least version 1  I m not sure about more recent versions     There is an example of  1  in the documentation for session set save handler    The example is long but I ll reproduce it here  with the relevant modifications necessary to extend the session duration  Note the inclusion of session set cookie params   to increase the cookie lifetime as well    lt  php class FileSessionHandler        private  savePath      private  lifetime       function open  savePath   sessionName                 this- gt savePath    my savepath      Ignore savepath and use our own to keep it safe from automatic GC          this- gt lifetime   3600     1 hour minimum session duration         if   is dir  this- gt savePath                 mkdir  this- gt savePath  0777                      return true             function close                 return true             function read  id                return  string  file get contents   this- gt savePath sess  id               function write  id   data                return file put contents   this- gt savePath sess  id    data      false   false   true             function destroy  id                 file     this- gt savePath sess  id           if  file exists  file                 unlink  file                      return true             function gc  maxlifetime                foreach  glob   this- gt savePath sess     as  file                if  filemtime  file     this- gt lifetime  lt  time    amp  amp  file exists  file        Use our own lifetime                 unlink  file                                    return true            handler   new FileSessionHandler    session set save handler      array  handler   open        array  handler   close        array  handler   read        array  handler   write        array  handler   destroy        array  handler   gc              the following prevents unexpected effects when using objects as save handlers register shutdown function  session write close     session set cookie params 3600      Set session cookie duration to 1 hour session start       proceed to set and retrieve values by key from   SESSION   Approach  2  is more complicated  basically  you have to re-implement all session functions on your own  I won t go into details here

User · Answer

Put   SESSION  login time     time    into the previous authentication page  And the snipped below in every other page where you want to check the session time-out   if time   -   SESSION  login time    gt   1800       session destroy       destroy session      header  Location  logout php        die       See https   thedailywtf com articles WellIntentioned-Destruction       redirect if the page is inactive for 30 minutes   else                SESSION  login time     time          update  login time  to the last time a page containing this code was accessed      Edit   This only works if you already used the tweaks in other posts  or disabled Garbage Collection  and want to manually check the session duration  Don t forget to add die   after a redirect  because some scripts robots might ignore it  Also  directly destroying the session with session destroy   instead of relying on a redirect for that might be a better option  again  in case of a malicious client or a robot

User · Answer

No   If you don t have access to the php ini  you can t guarantee that changes would have any effect    I doubt you need to extend your sessions time though  It has pretty sensible timeout at the moment and there are no reasons to extend it

User · Answer

Session timeout is a notion that has to be implemented in code if you want strict guarantees  that s the only way you can be absolutely certain that no session ever will survive after X minutes of inactivity  If relaxing this requirement a little is acceptable and you are fine with placing a lower bound instead of a strict limit to the duration  you can do so easily and without writing custom logic  Convenience in relaxed environments  how and why If your sessions are implemented with cookies  which they probably are   and if the clients are not malicious  you can set an upper bound on the session duration by tweaking certain parameters  If you are using PHP s default session handling with cookies  setting session gc maxlifetime along with session set cookie params should work for you like this     server should keep session data for AT LEAST 1 hour ini set  session gc maxlifetime   3600       each client should remember their session id for EXACTLY 1 hour session set cookie params 3600    session start       ready to go   This works by configuring the server to keep session data around for at least one hour of inactivity and instructing your clients that they should  quot forget quot  their session id after the same time span  Both of these steps are required to achieve the expected result   If you don t tell the clients to forget their session id after an hour  or if the clients are malicious and choose to ignore your instructions  they will keep using the same session id and its effective duration will be non-deterministic  That is because sessions whose lifetime has expired on the server side are not garbage-collected immediately but only whenever the session GC kicks in  GC is a potentially expensive process  so typically the probability is rather small or even zero  a website getting huge numbers of hits will probably forgo probabilistic GC entirely and schedule it to happen in the background every X minutes   In both cases  assuming non-cooperating clients  the lower bound for effective session lifetimes will be session gc maxlifetime  but the upper bound will be unpredictable   If you don t set session gc maxlifetime to the same time span then the server might discard idle session data earlier than that  in this case  a client that still remembers their session id will present it but the server will find no data associated with that session  effectively behaving as if the session had just started    Certainty in critical environments You can make things completely controllable by using custom logic to also place an upper bound on session inactivity  together with the lower bound from above this results in a strict setting  Do this by saving the upper bound together with the rest of the session data  session start       ready to go    now   time    if  isset   SESSION  discard after     amp  amp   now  gt    SESSION  discard after             this session has worn out its welcome  kill it and start a brand new one     session unset        session destroy        session start          either new or old  it should live at most for another hour   SESSION  discard after      now   3600   Session id persistence So far we have not been concerned at all with the exact values of each session id  only with the requirement that the data should exist as long as we need them to  Be aware that in the  unlikely  case that session ids matter to you  care must be taken to regenerate them with session regenerate id when required

User · Answer

Just a notice for a sharing hosting server or added on domains   For your settings to work you must have a different save session dir for added domain by using php value session save path folderA sessionsA  So create a folder to your root server  not into the public html and not to be publicity accessed from outside  For my cpanel server worked fine the folder permissions 0700  Give a try      Session timeout  2628000 sec   1 month  604800   1 week  57600   16 hours  86400   1 day ini set  session save path     home server  folderA sessionsA    ini set  session gc maxlifetime   57600    ini set  session cookie lifetime   57600     session cache expire is in minutes unlike the other settings above          ini set  session cache expire   960   ini set  session name    MyDomainA     before session start    or put this in your  htaccess file  php value session save path  home server  folderA sessionsA php value session gc maxlifetime 57600 php value session cookie lifetime 57600 php value session cache expire 57600 php value session name MyDomainA  After many researching and testing this worked fine for shared cpanel php7 server  Many thanks to  NoiS

User · Answer

Adding comment for anyone using Plesk having issues with any of the above as it was driving me crazy  setting session gc maxlifetime from your PHP script wont work as Plesk has it s own garbage collection script run from cron   I used the solution posted on the link below of moving the cron job from hourly to daily to avoid this issue  then the top answer above should work   mv  etc cron hourly plesk-php-cleanuper  etc cron daily    https   websavers ca plesk-php-sessions-timing-earlier-expected

User · Answer

You can override values in php ini from your PHP code using ini set

[php] How to change the session timeout in PHP?

Examples related to php

Examples related to session

Examples related to session-timeout