I'm having some troubles with the session timeout in a PHP application, I suspect the timeout is given by code but I prefer checking the infrastructure first. The application I'm running is pure PHP 5.6 on Apache behind a classic LB in AWS. Devs told me that they don't manipulate the session cookie in the code so I checked my apache2/php.ini file. This is the one:
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = On
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 2400
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
This is the main [PHP] section just in case:
[PHP]
engine = On
short_open_tag = On
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
disable_classes =
zend.enable_gc = On
expose_php = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL
display_errors = On
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 800M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 750M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
As far as I'm concerned there is absolutely nothing in the infrastructure which may impose a timeout. Am I right?
I've checked also the cookies on my browser and I'm receiving these parameters:
AWSELB
PHPSESSID
Both cookies have this in Expires / Max Age –> 1969-12-31T23:59:59.000Z
Do I have to check something else? Any clues?
Thanks in advance..
Best Answer
Gotcha! Apparently there is a cron.d file named php, which essentially is a dash script (/bin/sh) that executes every 30 minutes and clean the php sessions, this script evaluates both apache2 and cli configs so, by modifying both values on GC max lifetime that did the trick.