How do I expire a PHP session after 30 minutes

I need to keep a session alive for 30 minutes and then destroy it.

http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

  First:   

session.gc_maxlifetime
session.gc_maxlifetime specifies the number of seconds after which data will be seen as garbage and cleaned up. Garbage collection occurs during session start.

http://php.net/manual/en/session.configuration.php#ini.session.gc-divisor http://php.net/manual/en/session.configuration.php#ini.session.gc-divisor

Well, you could simply adjust these values so that the garbage collector is started more often. But when the garbage collector is started, it will check the validity for every registered session. And that is cost-intensive.

http://php.net/manual/en/session.configuration.php#ini.session.save-path http://php.net/manual/en/session.configuration.php#ini.session.save-path

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other filesystem where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won t have problems with filesystems where atime tracking is not available.

So it additionally might occur that a session data file is deleted while the session itself is still considered as valid because the session data was not updated recently.

  And second:   

session.cookie_lifetime
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. […]

http://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie http://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie

  Conclusion / best solution:   

The best solution is to implement a session timeout of your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:

if (isset($_SESSION[ LAST_ACTIVITY ]) && (time() - $_SESSION[ LAST_ACTIVITY ] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION[ LAST_ACTIVITY ] = time(); // update last activity time stamp

Updating the session data with every request also changes the session file s modification date so that the session is not removed by the garbage collector prematurely.

http://www.owasp.org/index.php/Session_fixation http://www.owasp.org/index.php/Session_fixation

if (!isset($_SESSION[ CREATED ])) {
    $_SESSION[ CREATED ] = time();
} else if (time() - $_SESSION[ CREATED ] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
    $_SESSION[ CREATED ] = time();  // update creation time
}

  Notes:   

• session.gc_maxlifetime should be at least equal to the lifetime of this custom expiration handler (1800 in this example);
• if you want to expire the session after 30 minutes of activity instead of after 30 minutes since start , you ll also need to use setcookie with an expire of time()+60*30 to keep the session cookie active.