Reputation: 799
Is setting session.gc_probability and session.gc_divisor equal to 100% a bad idea?
The scenario:
- User logs in
- Cookie is set to length of session
- After 1 hour of inactivity I wish to log out the user
How I think I can solve this:
- Set the session.gc_maxlifetime to 1 hour (3600)
- Set the session.gc_probability to 1
- Set the session.gc_divisor to 1
- Therefore having a 100% certainty that garbage collection will occur on any idle session cookies after 1 hour.
My question:
All the posts and documentation I've read has never mentioned setting a gc change of 100%, therefore is it bad to do this? Is there a better way?
It's a symfony app, and long term I would like to do something like this http://symfony.com/doc/master/components/http_foundation/session_configuration.html#session-meta-data but for now I was hoping to just do something simple with session.gc_*
One post I read implies that having a 100% garbage collection chance is "cost-intensive" How do I expire a PHP session after 30 minutes? is this true? If so, how cost intensive?
Cheers!
Upvotes: 11
Views: 15339
Answers (2)
Reputation: 1418
The gc_probability and gc_divisor are there to let you define the "probability" of firing up the garbage collection (GC).
Since GC (as everything) comes with a cost, you wouldn't usually want it to run on each and every web request processed by your server - that would mean that every page opening or every AJAX request served from PHP would cause the GC to run.
So, depending on the actual server load and usage, the admin is expected to do an educated guess on how often should GC be run: once in 100, 1/10000 or 1 in million requests.
But, there's a problematic flaw in the OP's original reasoning - that garbage collection will occur on any idle session. The way I read the manual, the garbage collection will occur on ANY session, not just idle ones:
session.gc_maxlifetime integer: specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
So, the session (idle or not) lifetime is decided with gc_maxlifetime, while the moment of the GC being started (as said in the docs: "potentially") is really decided with gc_probability and gc_divisor.
To resume, my late answer to the question would be - I would not under normal condition have GC running at each and every request (the 1/1 scenario you mentioned), because
- that seems like a serious overkill. On some level, you would probably end up with thousands (if not worse) of IFs and only once going into its THEN
- you would log out ANY user on your system after 60mins, not just the idle ones.
Upvotes: 10
Reputation: 180004
There are much better ways of doing this.
If this isn't for something particularly secure, you can set an expiration date/length for the session cookies on the client-side. A technically minded user could tweak the expiration in this case, so you wouldn't want to use this on a bank site.
If you need something more secure, just store an expiration time along with the other session data and check against it. If it's exceeded, destroy their session and force them to log back in.
Upvotes: 0
Related Questions
- Cookie less sessions in PHP
- Symfony calls the PHP garbage collector on Ubuntu 14.04 even when session.gc_probability is set to 0
- php session and cookies destroy
- php: what exactly does setting session.gc_max_lifetime = 0 mean?
- CodeIgniter session library - potentially dangerous behavior?
- Symfony2 common session strategy
- Sessions and cookies security and overhead
- must i handle session garbage?
- PHP setting a cookie not 100%
- PHP session garbage collection becoming an annoyance, i need some help to modify this behavior