php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68127 Very short maxlifetime in default php.ini
Submitted: 2014-10-01 20:59 UTC Modified: 2020-12-09 16:45 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: atze_80 at web dot de Assigned:
Status: Suspended Package: *Configuration Issues
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: atze_80 at web dot de
New email:
PHP Version: OS:

 

 [2014-10-01 20:59 UTC] atze_80 at web dot de
Description:
------------
In the php.ini delivered with php source is the following setting

session.gc_maxlifetime = 1440

according to the documentation this value is in seconds, which means that the default session lifetime is just 24 minutes.

I cannot help myself but assume that there is a missing zero. A value of 14400 seconds is 4 hours which is more reasonable.


Patches

php.ini-maxlifetime-patch (last revision 2014-10-01 21:00 UTC by atze_80 at web dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-03 10:05 UTC] tyrael@php.net
hi, the default value for this setting is the same since session gc was introduced back in '99.
maybe it would be appropriate to change the defaults (which should also include changing the hard coded default when no ini is present: http://lxr.php.net/xref/PHP_5_5/ext/session/session.c#790) but I think this would be better discussed on the mailing list, and having an RFC for changing this would be also reasonable.
 [2015-12-16 01:02 UTC] yohgaki@php.net
1440 seconds may be too short for many sites. However, if session.gc_maxlifetime should have larger value, users should set larger value manually. Default values should be safe enough values. IMHO.

There are too many sites that do not use SSL currently. If vast majority of PHP sites use SSL, then we may consider to use larger value for session.gc_maxlifetime. Even if this became the case, 3600 seconds would be long enough. IMO.
 [2020-12-09 16:45 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-12-09 16:45 UTC] cmb@php.net
> […] but I think this would be better discussed on the mailing
> list […]

Indeed, so please forward this feature request to the internals
mailing list.  For the time being, I'm suspending this ticket.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 11:01:28 2024 UTC