A session is a way to store information (in variables) to be used across multiple HTTP Requests, to simulate a “state” across pages navigation.

Unlike a cookie, the information is not stored on the end users computer but in the application server.

For security reasons, sessions has a time limit to exist than they expire. PHP has a default timeout session limit and sometimes it is not the timeout your application needs. In this post we gonna learn how to change the PHP Session Timeout.

How long is a PHP session timeout

The PHP session timeout depends on the server configuration or the relevant directives session.gc_maxlifetime in php.ini file.

Typically the default PHP session timeout is 24 minutes (1440 seconds), but your webhost may have altered the default to something else.

What is reasonable session timeout?

OWASP, one of the most authoritative web application security standards organizations, says about session timeouts:

“Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring…Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.”

From the federal guideline perspective, the draft NIST 800-63B – Digital Identity Guidelines proposes the following recommendation for providing high confidence for authentication: “Reauthentication of the subscriber SHALL be repeated following no more than 30 minutes of user inactivity.”

So your sessions should not last longer than 30 minutes. Read the Session timeout considerations in this article.

Setting PHP Session Timeout

The timeout limit of the session in PHP is configured using two directives in the php.ini file:

  • session.gc_maxlifetime: It is used to set the time limit in seconds to store the session information in the server for a long time.

  • session.cookie_lifetime: It is used to set the expiration time limit for the PHPSESSID cookie.

Another way to set PHP session timeout is by using the ini_set() function in a PHP script.

Using php.ini settings for session timeout

Find the directive session.gc_maxlifetime and choose smallest possible. The session.gc_maxlifetime is a setting for deleting obsolete session ID. Reliance on this setting is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves.

It specifies the number of seconds after which data will be seen as ‘garbage’ and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor). Defaults to 1440 (24 minutes).

Find the directive session.cookie_lifetime and set it to 0 (zero). This value has a particular meaning. It informs browsers not to store the cookie to permanent storage. Therefore, when the browser is terminated, the session ID cookie is deleted immediately. If developers set this other than 0, it may allow other users to use the session ID. Most applications should use “0” for this.

If an auto-login feature is required, developers must implement their own secure auto-login feature. Do not use long life session IDs for this.

Using ini_set directives for setting session timeout

You can set session.gc_maxlifetime and session.cookie_lifetime using the ini_set(<directive>, <value>) function.

For this, at the begining of your script, call the function passing the directive and the desired value to set it.

See the following example:

<?php

//Set the session timeout for 2 seconds
$timeout = 2;

//Set the maxlifetime of the session
ini_set( "session.gc_maxlifetime", $timeout );

//Set the cookie lifetime of the session
ini_set( "session.cookie_lifetime", $timeout );

//Start a new session
session_start();

//Set the default session name
$s_name = session_name();

//Check the session exists or not
if(isset( $_COOKIE[ $s_name ] )) {
    setcookie( $s_name, $_COOKIE[ $s_name ], time() + $timeout, '/' );

    echo "Session is created for $s_name.<br/>";
} else {
    echo "Session is expired.<br/>";
}
?>

The following output will appear after executing the above script for the first time:

Session is created for PHPSESSID.

And executing it again after 2 seconds the output will be:

Session is expired.

Conclusion

The right session timeout for PHP applications can be configured using the global php.ini file or by scripts, what gives to developers more control on how much sessions should last.

References