Page 1 of 1

How the session file destroys automatically?

Posted: Mon Nov 22, 2010 8:16 am
by aknayak
Hi All

I have a query related to session and I will highly appreciate for your answers.

Query:
======
in PHP we use

session_start(); // To start the session

$_SESSION['key']='someValue'; // Assigns some values to the key

Lets assume we did this operation during user login time.
That means for each user there will be a new file in /tmp folder [In windows or in the path session.save_path]

Suppose we are not using session_destroy() during logout.

That means for each user the file that created by the server will remain on the same place. My question is how we can delete those files as if we think we are storing 50Kb data for each user and we have 1000000000 users then what will happen?

Re: How the session file destroys automatically?

Posted: Mon Nov 22, 2010 10:12 am
by DaveTheAve
That is exactly why they are stored in the /tmp folder. They are removed automatically before space gets low; however, even being a Linux user myself, I don't know if Linux will not let the tmp be a certain size, the number of files, or a cron job as to what triggers the automatic removal.

Re: How the session file destroys automatically?

Posted: Thu Nov 25, 2010 2:25 am
by greyhoundcode
Interesting, found this regarding /tmp:
Debian User Reference Manual wrote:This directory is generally erased on a regular basis, or every time you reboot the system. You can create files here if you want, just be aware they might get deleted automatically.
Apparently configurable, so it can be done every 5 days (for instance) or on each reboot.

Re: How the session file destroys automatically?

Posted: Thu Nov 25, 2010 4:06 am
by VladSun
Using /tmp folder is not recommended:
Warning

If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.
Session garbage collector is responsible for cleaning "timed out" session files:
http://www.php.net/manual/en/session.co ... robability

In some Linux distros (like Debian/Ubuntu) session.gc_probability is set 0 because a cron job is resposnible to delete session files:

Code: Select all

cat /etc/cron.d/php5 
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
Cleaning on reboot (only) is not an option.