On 17 Jan 2012, at 23:17, Haluk Karamete wrote: > Back to this session expiration... > > that old quote said... > <begin> > The default behaviour for sessions is to keep a session open > indefinitely and only to expire a session when the browser is closed. > This behaviour can be changed in the php.ini file by altering the > line: > > session.cookie_lifetime = 0 > If you wanted the session to finish in 5 minutes you would set this to: > session.cookie_lifetime = 300. > <end> > > Reflecting on this a little more, I got interested in the part that > says "The default behaviour for sessions is to keep a session open > indefinitely and only to expire a session when the browser is closed." > > How would do the server know that a browser is closed? No browser > sends such a data to a server. > > If you re-open your browser, sure you will get asked to relogin ( > cause that session id cookie is gone ) but that does not mean that old > session data has been erased form the server. How could it? The only > way for that to happen is to run session_destroy programmatically but > for that your users has to click on a link. Certainly, closing a > browser won't cause that! > > This brings the question to the following; > WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? > > I'm afraid session.cookie_lifetime = 0 keeps all session data ( that > is past and present ) in server memory until a server restart/stop > takes place. Correct me if I'm wrong. You are wrong. What you need to understand is that the cleanup of the data is controlled by a completely separate system to that which enables requests to get access to it. The session.gc_maxlifetime setting controls how long it must be since the session data was saved before it is considered for cleanup. The description above is correct in that the default behaviour is for the session cookie to die with the browser session, but that has absolutely no effect on how long the data will be retained on the server. If you want a full description of how the session cleanup logic works I'm happy to provide it, but you should be able to work it out by looking at the descriptions of the gc_probability, gc_divisor and gc_maxlifetime settings on this page: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/