Previous Section  < Day Day Up >  Next Section

8.4 Configuring Sessions

Sessions work great with no additional tweaking. Turn them on with the session_start( ) function or the session.auto_start configuration directive, and the $_SESSION array is there for your enjoyment. However, if you're more particular about how you want sessions to function, there are a few helpful settings that can be changed.

Session data sticks around as long as the session is accessed at least once every 24 minutes. This is fine for most applications. Sessions aren't meant to be a permanent data store for user information梩hat's what the database is for. Sessions are for keeping track of recent user activity to make their browsing experience smoother.

Some situations may need a shorter session length, however. If you're developing a financial application, you may want to allow only 5 or 10 minutes of idle time to reduce the chance that an unattended computer can be used by an unauthorized person. If your application doesn't work with very critical data and you have easily distracted users, you may want to set the session length to longer than 24 minutes.

The session.gc_maxlifetime configuration directive controls how much idle time is allowed between requests to keep a session active. It's default value is 1,440梩here are 1,440 seconds in 24 minutes. You can change session.gc_maxlifetime in your server configuration or by calling the ini_set( ) function from your program. If you use ini_set( ), you must call it before session_start( ). Example 8-12 shows how to use ini_set( ) to change the allowable session idle time to 10 minutes.

Example 8-12. Changing allowable session idle time
<?php

ini_set('session.gc_maxlifetime',600'); // 600 seconds =  = ten minutes

session_start( );

?>

Expired sessions don't actually get wiped out instantly after 24 minutes elapses. Here's how it really works: at the beginning of any request that uses sessions (because the page calls session_start( ) or session.auto_start is on), there is a 1% chance that the PHP interpreter scans through all of the sessions on the server and deletes any that are expired. "A 1% chance" sounds awfully unpredictable for a computer program. It is. But that randomness makes things more efficient. On a busy site, searching for expired sessions to destroy at the beginning of every request would consume too much server power.

You're not stuck with that 1% chance if you'd like expired sessions to be removed more promptly. The session.gc_probability configuration directive is the percent chance that the "erase old sessions" routine runs at the start of a request. To have that happen on every request, set it to 100. Like with session.gc_maxlifetime, if you use ini_set( ) to change the value of session.gc_probability, you need to do it before session_start( ). Example 8-13 shows how to change session.gc_probability with ini_set( ).

Example 8-13. Changing the expired session cleanup probability
<?php

ini_set('session.gc_probability',100); // 100% : clean up on every request

session_start( );

?>

If you are activating sessions with the session.auto_start configuration directive and you want to change the value of session.gc_maxlifetime or session.gc_probability, you can't use ini_set( ) to change those values梱ou have to do it in your server configuration.

    Previous Section  < Day Day Up >  Next Section