NYCPHP Meetup

[Paul Houle]

    I've been making some modifications on an application that uses PHP 
sessions for authentication.  Our client wants sessions to time out 
after six hours of inactivity,  and I'm wondering if there's an easy way 
to do that by configuring PHP. 

session.cookie_lifetime

    sets the lifetime of the session cookie -- however,  it appears that 
the cookie gets set once on session start,  so this would cause the 
session to last six hours after it begins.  It's not so clear to me 
exactly what

session.gc_maxlifetime

    does,  but with a default value of 1440 seconds,  I'd think that my 
sessions would be expiring a lot more quickly than they are if that was 
setting a timeout.

    I can certainly hack the code to do something like

$now=time();
if(isset($_SESSION["timestamp"])) {
    ... dump session if now-timestamp > limit ...
}
$_SESSION["timestamp"]=$now;

    but I'm wondering if there's a more natural way to do it.