php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68127 Very short maxlifetime in default php.ini
Submitted: 2014-10-01 20:59 UTC Modified: 2015-12-16 01:02 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: atze_80 at web dot de Assigned:
Status: Open Package: *Configuration Issues
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-10-01 20:59 UTC] atze_80 at web dot de
Description:
------------
In the php.ini delivered with php source is the following setting

session.gc_maxlifetime = 1440

according to the documentation this value is in seconds, which means that the default session lifetime is just 24 minutes.

I cannot help myself but assume that there is a missing zero. A value of 14400 seconds is 4 hours which is more reasonable.


Patches

php.ini-maxlifetime-patch (last revision 2014-10-01 21:00 UTC by atze_80 at web dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-03 10:05 UTC] tyrael@php.net
hi, the default value for this setting is the same since session gc was introduced back in '99.
maybe it would be appropriate to change the defaults (which should also include changing the hard coded default when no ini is present: http://lxr.php.net/xref/PHP_5_5/ext/session/session.c#790) but I think this would be better discussed on the mailing list, and having an RFC for changing this would be also reasonable.
 [2015-12-16 01:02 UTC] yohgaki@php.net
1440 seconds may be too short for many sites. However, if session.gc_maxlifetime should have larger value, users should set larger value manually. Default values should be safe enough values. IMHO.

There are too many sites that do not use SSL currently. If vast majority of PHP sites use SSL, then we may consider to use larger value for session.gc_maxlifetime. Even if this became the case, 3600 seconds would be long enough. IMO.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 22 18:01:26 2019 UTC