Session did not time out

Anon

I am using Linux + Apache + PHP 4.0.1pl2 with Sessions.

My Problem is, that the sessions did not time out. Once a session is created I can destroy it manually (with session_destroy) but if the user did not use the logout function (which will destroy the session) the file with the session data will be kept in the session directory and the session id is valid for ever. Here's my php.ini:

session.save_handler = files
session.save_path = /tmp
session.use_cookies = 0
session.name = ID
session.auto_start = 0 session.cookie_lifetime = 900
session.cookie_path = /
session.cookie_domain = my-domain.de
session.serialize_handler = php
session.gc_probability = 1
session.gc_maxlifetime = 1800
session.referer_check =
session.entropy_length = 16
session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 60

Anon

You should increase session.gc_probability. The session wont be cleared until after the timeout has elapsed AND the gc is run. The gc only runs 1 out of 100 times the php script loads session state info. Try setting to 100, wait for the timeout to elapse and load the script from a different pc. Then load on the original pc and you should see that the session was cleared.

Good Luck!
Ted