Debian and derivatives (Ubuntu) don't use the php session garbage collector
session.gc_probability = 0
instead they use a cron /etc/cron.d/php5
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
Why Debian has chosen to do this?
Best Answer
Because Debian sets very stringent permissions on
/var/lib/php5
(1733, owner root, group root) to prevent PHP session hijacking. Unfortunately, this also prevents the native PHP session garbage collector from working, because it can't see the session files there. The cron job runs as root, which does have sufficient access to see and clean up the session files.Edit: Supporting documentation: The behavior was established in response to bug #267720. (There used to be comments in the stock
php.ini
file about this, but I don't see them there now in my wheezy-based PHP install.)