Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:25452
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain php.net from 85.235.23.12 cause and error)
To: robert@interjinn.com (Robert Cummings)
Cc: internals@lists.php.net
Date: Thu, 31 Aug 2006 03:21:55 +0200
Message-ID: <0cdcf29oshot25s4bk57e1vbkbit2bp9oc@4ax.com>
References: <20060816123006.4028b334@pierre-u64> <2hske21deqskguop9rb66gtrg7mf58t21a@4ax.com> <1156217178.717.13.camel@blobule>
In-Reply-To: <1156217178.717.13.camel@blobule>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] session.gc_maxlifetime default value
From: penguin@php.net (Peter Brodersen)

Hi,

On Mon, 21 Aug 2006 23:26:18 -0400, in php.internals
robert@interjinn.com (Robert Cummings) wrote:

>> I believe that it is more easy and nice for a web developer to discard
>> a session in a system with a high gc_maxlifetime than to keep a
>> session alive (e.g. having the page access a php resource every couple
>> of minutes using javascript).
>
>The short duration is to help ensure better privacy. It means that if
>you leave a computer and forget to close down the browser then snoopy
>people only have 24 minutes to access anything you left behind.

That value still seem pretty arbitrary. As mentioned, it would be much
more easy for a developer to discard specific session variables after
a shorter period of time than by extending this period.

=46ar from all session data is private data and don't have to be nuked
after 24 minutes. The developer could also distinguish between
sensitive- and non-sensitive-data and discard a few session variables
instead of nuking every data in the current session.

The method of extending the timeout is also pretty cumbersome and
pretty much a hack. One would have the pages to perform background
requests as a form of keepalive requests.

>24 minutes is probably some value that lies between irritatingly quick
>session expiry and overly long session lifespans -- at least for a
>default value.

I would disagree. I don't think that the default value of 1440 seconds
was set because of this - I simply think it was meant to be one day in
the first place. I believe that a value of half a day or a day is more
sensible. At least I have experienced a couple of incidents, where I
or some of my users have used more than 24 minutes between pages.

As well as other parts of PHP the application should handle security,
including reasonable timeout values for different tasks. The garbage
collection is a safety valve (as with any other garbage collection).

Summarized:
A higher default gc_maxlifetime would benefit:
+ Fewer strange session expiration incidents (with non-private data)
+ Easier for the administrator to maintain his own timeout value
(above 24 minutes) without resolving to keepalive-hacks
! Security handling should, where possible, be performed by the code.

--=20
- Peter Brodersen