Solved

PHP Session gc_maxlifetime?

Posted on 2004-09-02
10
3,002 Views
Last Modified: 2012-06-21
I'm wondering, what good is php_value session.gc_maxlifetim?  Why not just have a session expire upon not being accessed for x amount of time, then delete them...why keep them around for any longer with maxlifttime?


CoolATIGuy

Example:

php_value session.cache_expire 25   <--- mins how long a session is alive
php_value session.gc_probability 20  <--- percentage of time old sessions are deleted
php_value session.gc_maxlifetime 1500  <-- sec how long an expired session is considered trash
0
Comment
Question by:CoolATIGuy
  • 6
  • 4
10 Comments
 
LVL 48

Accepted Solution

by:
hernst42 earned 500 total points
ID: 11970558
Hi,

I think you interpreted the session.cache_expire value wrong:
This value sets the header how long this document is valid before the browser needs to recheck the page. If you have set session.cache_limiter to nochace that value should not be interpreted or used. So this value has nothing to do with session.gc_maxlifetime.

session.gc_maxlifetime:
That's the time in seconds after the session will be seen as expired and when session.gc_probability gets a true value all session that don't have been used for the session.gc_maxlifetime will be deleted.

session.gc_probability:
is used as a performance option so php does not need to check for every request if sessions have expired. The problem is that HTTP is stateless. So you don't know when the user closes the browser on the server-side and can't delete the session then.
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11983090
I'm sorry, I'm not getting what you're saying...could you please clarify?  Dumb it down...

CoolATIGuy
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 11993375
I'm not understanding your explanations for the different variables...what do you mean by "how long this document is valid before the browser needs to recheck the page"?

CoolATIGuy
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 8

Author Comment

by:CoolATIGuy
ID: 12013338
hernst42,

I'd really like to figure this out and get it closed....does anyone have any ideas?


CoolATIGuy
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12013429
The cache_expire gives the validty of the html docment in the cache or in a proxy. If the user does not do a reload of the html-page is taken from the cache/proxy and there is no request send to the webserver.

The setting is only relevant if you also use none for session.cache_limiter
0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 12030452
Found this: http://www.zend.com/manual/function.session-cache-expire.php

So basically the cache_expire says that if the user logs in, then doesn't do anything for xx minutes (defaults to 180 minutes), then they have to log in to access session-secure info.

The gc_probability determines how often the expired sessions get deleted.

And gc_maxlifetime will allow the user to be logged out, but leave the session behind for awhile, so the user can see a message saying that they timed out, etc.

Sound right?


CoolATIGuy
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12031002
No,
If gc_probability is set to 1 (default 1/100) then every (default about every 100) php-page request all stored session (of all users) are checked and those session that are older (have not been modified) since time() - gc_maxlifetime are deleted.

cache_expire will only work if cache_delimiter is set to a value != nocache. So if you use the default for cache_delimter (nocache) you can ignore cache_expire as it will not be used.

So depending on the value of cache_expire (here 60) and cache_delimiter = private the webserver generate the following in the HTTP-Headers:
Cache-Control: private, max-age=3600, pre-check=3600

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9 for a detailed explanaition of caching for HTTP

In the link max-age is described as the following:
max-age
When an intermediate cache is forced, by means of a max-age=0 directive, to revalidate its own cache entry, and the client has supplied its own validator in the request, the supplied validator might differ from the validator currently stored with the cache entry. In this case, the cache MAY use either validator in making its own request without affecting semantic transparency.
However, the choice of validator might affect performance. The best approach is for the intermediate cache to use its own validator when making its request. If the server replies with 304 (Not Modified), then the cache can return its now validated copy to the client with a 200 (OK) response. If the server replies with a new entity and cache validator, however, the intermediate cache can compare the returned validator with the one provided in the client's request, using the strong comparison function. If the client's validator is equal to the origin server's, then the intermediate cache simply returns 304 (Not Modified). Otherwise, it returns the new entity with a 200 (OK) response.
If a request includes the no-cache directive, it SHOULD NOT include min-fresh, max-stale, or max-age.

0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 12032458
Can you give me fictional examples of those 3 variables being used, please?

CoolATIGuy
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12033617
here are the examples from the php.ini

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

session.gc_probability = 1
session.gc_divisor     = 100

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

So if that garbage process is started all session stored in /tmp are deleted by PHP which are older than 24 minutes (gc_maxlifetime). A session is expired if the user with that session does not has accessed the server for 24 minutes. It could also happen that if there are very few accesses to the server that the session is still valid after 30 or 60 minutes, because the garbage collection of PHP hasn't be statred.

As the cache_delimiter is set to nocache the value of cache_expire is not used and has no effect on the session.

0
 
LVL 8

Author Comment

by:CoolATIGuy
ID: 12056304
Thanks

CoolATIGuy
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question