As Marek has stated a number of times, the session options in php.ini are meant to be set to reasonable values for the usage pattern for your server, in order that you can achieve a balance between a /tmp or /var/tmp of several zillion kilobytes, and a constant 100% cpu usage as the gc routine runs again and again.
That's all it is. If you wish to time out your sessions for security purposes, you need to handle that security in your application. Security is the responsibility of the developer, and should always remain that way. Anything else is leaving you open to trouble.
To restate, the session.gc_maxlifetime defines how long the session must have been inactive in order for it to be SAFE to be gc'ed. That's why it's session.*GC*_maxlifetime and not session.security_maxlifetime. The setting has no bearing on when a session MUST be gc'ed. That is up to the developer to deal with - hell, with session.gc_divisor = 0, you can have session files which are never deleted if you desire - that doesn't mean your users should never be logged out, now does it?
Hope this clears things up a little.
Cheers
Chris
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
