Source: php7.3 Version: 7.3.4-2 Severity: minor Hi, I found the a somewhat lingering bug in Ubuntu which just as much applies to Debian. Hence I thought the best would be to forward that to you so that we can go the same route on handling it.
The behavior is quite old since https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595706 I have found quite some refs, but not one directly asking for that yet that would be solved. I mean https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831752 is the same bug, but closed for 7.0 being removed. I didn't want to revive old bugs on my own, but obviously feel free to close this and reassing the old one if you prefer that. Just let me know so I can follow. ## From here on I'm quoting the original bug that Ubuntu got ## The Ubuntu distribution of PHP doesn't use the usual PHP mechanism of session garbage collection. It sets "session.gc_probability" to zero in the php.ini file, thus making it seem like garbage collection is disabled. In fact it still occurs but with a cron job. In my Docker image, the PHP "sessionclean" program is being executed and it seems that this uses the "session.gc_maxlifetime" setting from the apache2 version of the php.ini file. However this is non-obvious and not documented in the php.ini file. Thus when recently rebuilding my Docker image for my web service, I started getting what seemed to be premature session timeouts and I couldn't figure out why and I ended up raising a bug on the PHP team (https://bugs.php.net/bug.php?id=76368). If the Ubuntu team is going to modify the PHP package so it differs in behaviour from the description in the PHP provided documentation, then they need to provide updated documentation. I would suggest that the simplest solution is to update the php.ini file so that where "session.gc_probability" is set to zero there is a short paragraph saying why (because it is handled by the cron job) and also make it clear somewhere in that file that the "session.gc_maxlifetime" setting is still relevant even though "session.gc_probability" is zero.
