PHP custom session handler - garbage collection time limit

I am considering writing my own custom session handling as I have certain specific requirements that would be perfectly met by having custom sessions.

I have reviewed several examples of custom handlers that are available in various places on the web. They are all very similar. But I have a question about garbage collection that seems to be common to all such examples. Specifically, the garbage collection routines destroy old sessions after either 5 minutes, or 24 minutes, typically.

I am wondering if this would not in many cases destroy sessions actively in progress. It seems like this time is very short, and so I am guessing that there must be some factor I am not aware of that makes these time limits reasonable.

Please comment on how this is really supposed to work.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The time limit you see refers to a timer which is *reset* each time the user visits a new page. If your session handler destroys sessions which are 5 minutes old, for example, that just means sessions for people who haven't navigated anywhere in the site for 5 minutes. People can maintain their session as long as they like as long as they keep visiting new pages, which resets the timer to zero each time. In this way only inactive sessions are destroyed.

I hope I understood your question correctly; if not, please clarify, because I'd hate to be just repeating what you already know.
jasimon9Author Commented:
I think you are understanding the question correctly. However, this issue seems exactly what I am considering to be a problem!

If someone comes to a page and has a session going, then is inactive for 10 minutes and is thrown out of their session, I consider that to be a big issue. I would want something much longer, say between 20 or 30 minutes.

Compare this requirement against another feature we have: login cookies. A significant portion of our site's purpose is only available to logged in users. However, we place a cookie on the users system to remember that user, and automatically log them in when they return to the page. I originally designed these cookies to expire in 30 days.

However, our sales dept says "why ever have them expire?" They are pushing for at least 60 or 90 days.

So, to have sessions expire and force the user to start over again is inconsistent with this practice.

I guess I would compare this custom session behavior to the behavior of the default session handling provided by PHP, which we are now using. The session.gc_maxlifetime is 1440 seconds. It would seem that therefore 1440 seconds should be workable, which is 24 minutes, or something like that.
Well, I guess I'm not sure what the problem is, then, since you said above that some of the custom handlers you have reviewed do in fact have 24-minute session limits, which places it right in your ideal range. (Almost any custom session-handling script or class should also permit you to specify yourself what the limit is with a simple change of one number in the code.) So if your problem is just that they're too short, it should be rather simple to make them longer.

However, it's very important that they expire at SOME point! Sessions contain more critical data than cookies, and so if someone is logging into your site from, say, a cybercafe, and doesn't log out, then someone else can come along a day later and continue the session, buying stuff on their credit card, posting messages, etc etc etc. Plus the longer a session time is, the more vulnerable it becomes to hackers who actually hijack sessions remotely.

So go ahead and boost the time, but don't go crazy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasimon9Author Commented:
Your comment is helpfulI would prefer to see some additional comment before awarding points.

I would proably feel ok with the 24-30 minutes, as that is what we are using during prototyping and it has not caused a problem this far.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.