PHP :: Bug #75896 :: All versions of PHP since PHP4

Bug #75896	All versions of PHP since PHP4
Submitted:	2018-01-31 18:24 UTC	Modified:	2018-02-02 14:22 UTC
From:	php dot chaska at xoxy dot net	Assigned:
Status:	No Feedback	Package:	Session related
PHP Version:	7.2.2RC1	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php dot chaska at xoxy dot net
New email:
PHP Version:		OS:

New Comment:

[2018-01-31 18:24 UTC] php dot chaska at xoxy dot net

Description:
------------
The default value of 1440 seconds for session.gc_maxlifetime resulted from a copy-paste error many years ago.  It is inane and unsupported by any rationale. It has caused, and continues to cause, innumerable lost or wasted hours of coding, maintenance and debugging efforts on the part of PHP programmers around the world.

Please change the default value as shipped in php.ini and as documented, to something which makes any kind of sense.  I suggest a value of 3600, or one hour.  This is an easily understood value by people, and is a reasonable duration for a session before timeout.  There is no factual support for the idea that 24 minutes (1440 seconds) is a good value.  There may be arguments for other values -- e.g. 86400 for 1 day.  Feel free to research them.  Just pick something sane.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-01-31 18:25 UTC] php dot chaska at xoxy dot net

https://stackoverflow.com/questions/14703363/why-is-the-standard-session-lifetime-24-minutes-1440-seconds/37176824#37176824

[2018-01-31 18:32 UTC] spam2 at rhsoft dot net

if you ever hosted a high traffic site you would know what it means to have such high values like 3600 seconds - when you really need endless sessions it's way better to implement that with ajax while still have a low value

on the other side "session.gc" on serious servers is anyways disabled and the cleanup done with cronjobs base don mtime because with hundrets of request sper second the "gc propability" scanning folders with many thousand files don't scale 

*/5 * * * * apache /usr/bin/find /var/www/sessiondata -type f -mmin +15 -delete

[2018-01-31 18:36 UTC] peehaa@php.net

> It is inane and unsupported by any rationale. It has caused, and continues to cause, innumerable lost or wasted hours of coding, maintenance and debugging efforts on the part of PHP programmers around the world.

[citation needed]

[2018-01-31 18:37 UTC] peehaa@php.net

-Status: Open +Status: Feedback

[2018-02-02 14:22 UTC] peehaa@php.net

-Status: Feedback +Status: No Feedback

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 18:01:28 2024 UTC