Session Cessation

You may have come across a problem in PHP where user sessions (ie, from $_SESSION) expire earlier than you expect. Now, there’s many different settings that can affect PHP sessions. Besides any application preferences, PHP has settings like session.gc_probability and session.gc_maxlifetime. But none of these matter if you don’t change session.save_path.

By default, sessions are saved in /tmp — the global temporary folder for the entire system. I’m not familiar enough with *nix to know for sure, but I’m guessing that the system regularly cleans up old files in this folder that it thinks are no longer being used. It might do this anywhere from 20 mins to a few hours later.

So the best thing to do is to set the session.save_path variable (or use the session_save_path() function) to point the session directory to a different folder. Because the session files are easily readable, this folder should not be visible to the public. If possible, sessions should be saved using a custom session handler (such as a database) with more security than the built-in PHP functionality.

PHP manual reference: http://www.php.net/manual/en/ref.session.php