I have set the session.gc_maxlifetime and session.cookie_lifetime. As documented on the site, it gc_maxlifetime should set the maximum session time and setting cookie_lifetime to 0 should destroy the session. But its not working as expected.
I have following code in my php file :
ini_set('session.gc_maxlifetime', 3600); // For testing I keep it for 10 sec
ini_set('session.cookie_lifetime', 0);
session_start();
if ($_GET['set']) {
$_SESSION['test'] = 'test';
}
if ($_GET['delete']) {
session_destroy();
}
print_r($_SESSION);
It's best to do this sort of thing globally in php.ini, because all scripts have a chance (based on gc_probability / gc_divisor) to trigger the garbage collection and they will do so based on their own current settings.
If this is not possible, a workaround is to set a custom session_save_path in your script.
Setting session.cookie_lifetime to 0 doesn't destroy a session, it tells the browser to discard the cookie when closed.
The session.gc_maxlifetime setting is a bit more tricky. I does indeed set the time after a session is considered to be expired and therefore deleted. However, that doesn't happen immediately and in fact, depending on other settings - it may not happen at all.
What happens is, you also have the session.gc_probability and session.gc_divisor settings, which together form the "chance" for the session garbage collector to run - this is explained in the PHP manual.
It is only when the GC runs that session.gc_maxlifetime comes into play and existing session's timestamps are compared to it.