PHP sessions on Debian and Ubuntu 2015-03-18

Recently I have been working quite a lot with setting up Apache2 with PHP5 environments, and today I was asked to increase the session timeout for PHP sessions.

My first instinct, and knowledge from previous setups was to head into the /etc/php/apache2/php.ini file to review the session.gc_probability, session.gc_divisor and session.gc_maxlifetime_ settings.

session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440

What stroke me as surprising was that the session.gc_probability setting was set to 0. Usually I would just increase gc_maxlifetime, make sure that the probability wasn’t set to high and report back that the issue was solved.

After some research I found out the Debian and Ubuntu distributions don’t use PHP’s garbage collector to clear out old sessions by default, hence the 0-value in the settings.

Instead Debian/Ubuntu uses cron to trigger a cleanup script every 30 minutes, which finds old session files and removes them from the drive. This cronjob is defined in /etc/cron.d/php5. So the php.ini is completely irrelevant for session handling in Debian/Ubuntu?, you might think.

Nope. The cronjob initially verifies that the existence of its components, then extracts the session.gc_maxlifetime from the php.ini file and uses its value as a argument for the actual removal script. If the value is set to 3600, the script will use find to locate all session files in /var/lib/php5 older than one hour and delete them.

Since we use file based session handling this is pretty straight forward, I personally I prefer it to the cryptic probability / divisor approach.

© - Powered by BloGo