On Tuesday 25 September 2001 16:19, Johnson, Kirk wrote:
> > So, no matter if the user is still working, the session will be
> > destroyed. I mean session.gc_maxlifetime isn't
> > session.gc_maxIDLEtime?
> Every time the user requests a page in an application using
> sessions, the session file's access time gets updated. The garbage
> collection routine looks at that access time. If the file hasn't
> been accessed less than gc_maxlifetime seconds ago, the gc routine
> deletes the session file. Another factor comes into play, tho, that
> is session.gc_probability. This sets how often the gc routine is
> launched. The default value is 1%, which means that on 1 of every
> 100 page requests the gc routine launches. So, if the server is not
> getting many hits, it can be a long time before the gc routine
> launches, so the session file can hang around longer than
> gc_maxlifetime.
Thank you for the detailed answer Kirk.

I thought that php works as you wrote. But sometimes I find that much 
older session are still "alive". I have 1440secs for maxlifetime, and 
if I bookmark a page with the session id I can use it till days or 
even weeks (I haven't tested longer time period :)) 
It is critical for most applications with user privileges, because 
someone can easily spoof other user's identity. Of course people 
should use he logout button, but as you all know they don't want, 
forget it, or their browser hangs, many things can happen.

So do you know any better sollution to this problem?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to