While it is good practice to build applications that provide a way to end a session with a script that makes a call to session_destroy() but there is no guarantee that a user will log out by requesting the appropriate PHP script.
PHP session management has a built-in garbage collection mechanism that ensures unused session files are eventually cleaned up. This is important for two reasons:
- it prevents the directory from filling up with session files that can cause performance to degrade and,
- it reduces the risk of someone guessing session IDs and hijacking an old unused session.
There are two directives in php.ini file that control garbage collection:
session.gc_maxlifetime
This defaults to 1,440 seconds (24 minutes). This directive represents the minimum time garbage collection permits an inactive session to exist.session.gc_probability
This defaults to 1 (1%).
A garbage collection process is run when a session is initialized, for example, when session_start( ) is called. Each session is examined by the garbage collection process, and any sessions that have not been accessed for a specified period of time are removed. This period is specified as seconds of inactivity in the gc_maxlifetime parameter, the default value being 1,440 seconds.
The file-based session management uses the update time of the file to determine the last access. To prevent the garbage collection process from removing active session files, PHP must modify the update time of the file when session variables are read, not just when they are written.
The garbage collection process can become expensive to run, especially in sites with high numbers of users, because the last-modified date of every session file must be examined.
The second parameter gc_probability sets the percentage probability that the garbage collection process will be activated. A setting of 100% ensures that sessions are examined for garbage collection with every session initialization. The default value of 1% means that garbage collection occurs with a probability of 1 in 100.
Depending on the requirements, some figure between these two extremes balances the needs of the application and performance. Unless a site is receiving less that 1,000 hits per day, the probability should be set quite low. For example, an application that receives 1,000 hits in a 10-hour period with a gc_probability setting of 10% runs the garbage collection function, on average, once every 6 minutes. Setting the gc_probability too high adds unnecessary processing load on the server.
Remember that garbage collection is performed only when a request that initializes a session is made, and then only with the probability set by
gc_probability.
When it is important to prevent users from accessing old sessions, the gc_probability should be increased. For example, the default session configuration sets up a cookie in the browser to be deleted when the browser program is terminated. This prevents a user from accidentally reconnecting to an old session. However, if the session ID is encoded into a URL, a bookmarked page can find an old session if it still exists. If session IDs are passed using the GET method, you should increase the probability of running garbage collection.
The session_gc() function
PHP does probability-based session GC by default but you use the session_gc() function to explicitly deletes sessions that are expired.
<?php session_start(); $del = session_gc(); echo "Sessions deleted: $del"; //Prints 2 on my localhost
Cookies and Sessions:
