Link to home
Create AccountLog in
Avatar of ivanhalen
ivanhalenFlag for Italy

asked on

Session don't behave in the same way even if php.ini is almost identical

I have a development local server (WAMP) and a remote one (LAMP): even if I have two almost identical php.ini session configurations, it happens that session expires after 24 minutes of inactivity on remote server (this is 'cause of session.gc_maxlifetime configuration9 and... never on local server
Well, I'd expect at least the same behavior in both servers, but it ain't so (ideally I'd like on remote server the same "don't expire 'til browser is closed" behavior that i have on local)... apart from session "zone" in php.ini what should I check to make them behave in the same way?

Here are two screenshots:

Thanks in advance for the answers
Avatar of gr8gonzo
Flag of United States of America image

You can set the gc lifetime to a really high value to help emulate that, but garbage collection IS a necessary evil if you don't want to crash your server.

Imagine a visitor who goes to your page, looks at your login page (or some page that would start a new session), and then leaves the site, but doesn't close the browser until he's completely off of your site. The browser is not responsible for sending a message back to all the sites it has visited to tell them it is closing. So, the result would be a session file on your server for that visitor that would never be "garbage cleaned" (unless that same visitor went back before closing the browser, and did some process on your site that destroyed the session).

So the problem is that your visitors' browsers are perfectly happy to let you (the server) do all of the work and clean up after their mess.

So you always need GC enabled.

Now, as far as the lifetime of GC, it's more of a question of security. The longer a session file stays in existence on your server, the more time a hacker would have to steal that session. There is no special security around sessions - anyone that knows a valid session ID can get whatever is stored inside. It's difficult to just guess session IDs (since they're so long and random), but if a hacker was trying to steal it through other means (tricking someone into giving it away or stealing it from their PC or getting them to visit a page that steals it, etc), it gives them more time to try their attack.

So you have to think about your visitor - is that visitor really going to  come back to your site if they haven't done anything on it for 24 minutes? On the web, usually 24 minutes of inactivity means that the visitor has gone on to a different site or has left for lunch or whatever. If they go to some long lunch and leave their computer unlocked, then a hacker would only have 24 minutes to discover this and start using the site before the session dies.

All that said, if your session isn't expiring on your local, then that probably means 1 of two things:

Possibility 1: Your browser is interacting with the site somehow and everytime it does so, it is refreshing the session and keeping it alive. The 24 minute period may still apply but you're just never hitting it. There are a variety of ways this could happen, from session paths to browser extensions that refresh the page automatically.

Possibility 2: The folder containing your session files has a permissions issue where PHP garbage collection cannot clean up the files. My bet is on option 1, though.
for the one that is on Windows check sometimes there is a php.ini in Windows\system32 that maybe is in conflict with the one of Wampserver.

I know that if the number of seconds  - minutes is too big the session will be expired at the very beginning.

Do you have a session setting parameter in your application?
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
People often expect PHP to be the same on different servers.  But some details are often set up differently.  In my experience with over a dozen different hosting companies and half a dozen different installations on my own servers, there is always some little difference.
@DaveBaldwin: Amen!

Happy New Year to all, ~Ray
Avatar of ivanhalen


Some say that on my local PC session isn't expiring 'cause of very few requests (only mines) and so GC doesn't work so much, while on the production server it expires as-it-should-be 'case of lot of requests (it's a shared server)
Can it be?
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Ok, you gave me some ideas... still the difference remains, and really don't know what it could be...