Page 1 of 1

Session data-files not removed?

Posted: Wed May 07, 2003 1:17 am
by lcidw
Now i'm a little confused.

file index.php

Code: Select all

<?php
session_start();

echo session_id();

echo '<br /><form action="index.php" method="post">
   <input type="text" name="abc"><input type="submit" value="submit">
   </form><br />';

if (isset ($_POST['abc'])) {
   $_SESSION['abc']=$_POST['abc'];
   echo $_SESSION['abc'];
}

?>
If i fill in 'blaat' in the form and click the submit button, it display's 'blaat'. that is good.

Then, i copy the session id displayed on the page, and paste it in the url-field:

Code: Select all

index.php?PHPSESSID=63et3e9g9dg2d90gd82dg8
and this works.

Nothing wrong yet.

Now i close the browser, 12 hours later i come back and call that page with that url (index.php?PHPSESSID=63et3e9g9dg2d90gd82dg8) again in a newly opened browser and the session-data still exists.

(BTW, it's PHP4.1.1 on PWS ON NT4)

This way, the server keeps storing all the session data-files and never removes them?

Is there an advisable way to write code so this doesn't happen, or do i really need to make some changes to php.ini for that.. or is it just unimportant and i don't need to worry about it?

Somebody knows? Any ideas welcome!




Here's the most important code of php.ini..

Code: Select all

&#1111;Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Whether to use cookies.
session.use_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Percentual probability that the 'garbage collection' process is started
; on every session initialization.
session.gc_probability = 1

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to &#123;nocache,private,public&#125; to determine HTTP caching aspects.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; trans sid support is disabled by default.
; Use of trans sid may risk your users security. It may not be
; feasible to use this option for some sites. Use this option with caution.
session.use_trans_sid = 0

Posted: Wed May 07, 2003 7:41 am
by lcidw
[edited post to make it readable and understandable code]

Posted: Wed May 07, 2003 9:25 am
by volka
the key probably is
session.gc_probability = 1
only one of a hundred requests will trigger the garbage collection

http://www.php.net/manual/en/ref.sessio ... robability

I have the same problem

Posted: Tue May 31, 2005 11:43 am
by cmou
I have the same problem. So can we safely say that session.gc_maxlifetime setting doesn't guarantee the deletion of sessions after they expire if the session.gc_probability is set to something other than 100?

Thanks!