I’m wondering how PHP detects that a specific session has timed out.
In detail: I’m using the default (file based) session handler, with a default session lifetime and so on. Everything in php.ini is on default.
If now a session is started, PHP does a check (depending non session.gc_divisor and session.gc_probability) if there are any timed out sessions. But from where does get PHP the last session access time from the sessions to check against?
The session file itself contains only the workload, e.g. x|i:1; for a $_SESSION['x'] = 1;, so there is no information about the last session access time.
I think that there are no in-memory information related to session start times as the sessions are still working after a full server restart.
So, where does PHP get the information from? Is it comparing the mtime/ctime of the session file?
PHP’s default session handler stores the $_SESSION data in a file using
serialize(), in the directory specified bysession.save_path. Generally the filename looks something like$filename = 'sess_' . session_id().Since it’s just a file, PHP can use the file’s mtime (time of last modification) to determine which session files are stale. Basically it’ll grab all the session files whose mtime exceeds the
session.gc_maxlifetimevalue andunlink()them. As you’ve said, the probability of the cleanup occuring is governed by thesession.gc_*ini variables.Now, if you create your own session handlers with
session_set_save_handler(), this is all out the window, and you’ve now got control over how sessions are stored and cleaned up, but this does explain the default behavior.