Few questions about PHP sessions

Question

I have a few a few question about php sessions:

1. Since the default value for session.gc_maxlifetime is 24 mins then that means any session file that isn't modified for 24 mins will be deleted and the session will expire automatically.

2. If I use session_destroy() in my code the session will be unset, but the session file itself won't be deleted until 24 mins passes since it was last modified.

3. The only way to extend the session's life time (more than 24 mins) is to extend session.gc_maxlifetime to a bigger value.

Are all these correct or did I get something wrong about it?

Also if I store my sessions in a database (using session_set_save_handler()) will all these rules apply to them ?

Answer 1

1. Almost. The file (session) will not be deleted immediately, that is determined by session.gc_probability and session.gc_divisor.

2. No, the session will be expired, but the deletion of the session file is determined as stated in previous point

3. That is correct ordinarily, but if you were to implement your own session handler, you could alter the behavior of session expiration even in such a way that session.gc_maxlifetime is ignored

Storing session in db should not alter those rules, but could stretch them a little, if you wanted to.

edit:

This is roughly how you can register your own session handler (handler being a class) and then do whatever you want with it

First, suppose we have a class, that is going to be handling sessions for our application.

class MySession {
  function open($save_path, $session_name) {
  }

  function close() {
  }

  function read($id) {
  }

  function write($id, $sess_data) {
  }

  function destroy($id) {
  }

  function gc($maxlifetime) {
  }
}

To register the handler in php, you only need to call session_set_save_handler function, like this in our case:

// register the session handler
$sess = new MySession();
session_set_save_handler(array($sess, 'open'),
                     array($sess, 'close'),
                     array($sess, 'read'),
                     array($sess, 'write'),
                     array($sess, 'destroy'),
                     array($sess, 'gc'));

Note that there are actually better ways to register the handler itself, you could even do this in the constructor of your class, or in numerous other ways. But I assume that is not the point here.

What is important is the fact that although PHP gives you the needed variables corresponding to standard behavior of it's session management mechanism, you don't have to respect it (not that I would recommend that).

To answer a comment below, to ignore the maxlifetime parameter, you ignore that in your gc method and use whatever you deem necessary/right, for example (using db pseudo code):

function gc($maxlifetime) { 
  $sql = "DELETE * FROM MySession WHERE lastAccess < NOW()-3600";
  // execute the query, say I have PDO instance in $dbh variable
  $dbh->execute($sql);
}

Voila, you just completely circumvented PHP session settings by doing it by yourself.

Answer 2

1. Correct, session.gc_maxlifetime will delete session file when the session expires
2. session_destroy doesn't delete the session file
3. yes, this the only way. After you can disable the garbage collection playing with the session.gc_divider and make a script to make your own garbage collection, Debian based distro actually does that by default.

Storing the session in some database won't change those rules.