non-cookie (url) session expiration?

Anon

By default, cookies used for php sessions expire when the user closes the web client window.

However, if URL sessions IDs are used (vs. cookies), how/when do sessions expire?

salmon

With cookies, the session expires because when the user closes the browser the cookie is deleted. This deletion of the cookie results in the session ID no longer being propagated.

Similarly, the session "expires" when the the session id is no longer propagated in the URL.

If you were to bookmark the URL, close your browser, and then reopen it and choose the bookmark, then that session would be recovered as long a the session file still existed on the server.

salmon

Oh yeah . . .

of course, there's also session_destroy(), but I don't think that's what you were getting at in your question.

Anon

How long is the session file kept around for? Is there any house keeping of session files?

Or do I need to write my own house keeping job? Perhaps keep a session variable with when the session was late accessed and have a cron job that checks for sessions not accessed > 1/2 hour, destroying them...

The concern here is handling the instance where a session will be used in conjunction with access control. Using the Internet Cafe scenario, if someone doesn't close the Web client, anyone else can come up for an indefinite time period and access the site.

matjaz

session will expire whenever you want it to. if you are working with php4 sessions you can set time limit for session to expire. by default it is set to 20 minutes or something like that.

if you wrote your own session handling routine its the same: you decide when a session expires...

Anon

But isn't PHP's built-in expiration parameter only used for cookies? IOW, URL-based sessions would never expire?

Or, does PHP have its own internal session clearing function?