PHP Session Expiration

Question

A question with respect to Session Expiration in PHP.

I need my server to throw away session information if that user has been inactive for a while (for testing purposes, 5 seconds).

I've looked at this question and particular at the answer by Gumbo (+28 votes) and I've been wondering about the feasibility of this answer with respect to inactive users. On my site I already implemented this suggestion and it works fine, so long as the user requests some data at least once after the session expired. But the problem with inactive users is that they don't request new data. So the expiration code is never called.

I've been looking at session.gc_maxlife and associated parameters in my PHP.ini, but I couldn't make this work the way I wanted it to.

Any suggestions on this problem?

Answer 1

The session expiration logic I mentioned does already do what you’re expecting: The session cannot be used once it has expired.

That the session data is still in the storage doesn’t matter as it cannot be used after expiry; it will be removed when the garbage collector is running the next time. And that happens with a probability of session.gc_probability divided by session.gc_divisor on every session_start call (see also How long will my session last?).

---

Edit    Since you want to perform some additional tasks on an expired session, I would rather recommend to use a custom session save handler.

When using a class for the session save handler, you could write two classes, one for the basics save handler and one with a extended garbage collector that performs the additional tasks, e.g.:

interface SessionSaveHandler {
    public function open();
    public function close();
    public function read($id)
    public function write($id, $data);
    public function destroy($id);
    public function gc($callback=null);
}
class SessionSaveHandler_WithAdditionalTasks implements SessionSaveHandler {
    // …
    public function gc($callback=null) {
        if (!is_null($callback) && (!is_array($callback) || !is_callable($callback))) return false;
        while (/* … */) {
            if ($callback) $callback[0]::$callback[1]($id);
            // destroy expired sessions
            // …
        }
    }
    public static function doAdditionalTasksOn($id) {
        // additional tasks with $id
    }
}
session_set_save_handler(array('SessionSaveHandler_DB_WithAdditionalTasks', 'open'),
                         array('SessionSaveHandler_DB_WithAdditionalTasks', 'close'),
                         array('SessionSaveHandler_DB_WithAdditionalTasks', 'read'),
                         array('SessionSaveHandler_DB_WithAdditionalTasks', 'write'),
                         array('SessionSaveHandler_DB_WithAdditionalTasks', 'destroy'),
                         array('SessionSaveHandler_DB_WithAdditionalTasks', 'gc')
                         );

Answer 2

If you need to call specific expiration logic (for example, in order to update a database) and want independence from requests then it would make sense to implement an external session handler daemon that looks at access times of session files. The daemon script should execute whatever necessary for every session file that has not been accessed for a specified time.

This solution has two prerequisites: the server's filesystem supports access times (Windows does not) and you can read files from session save path.