How to set the life cycle and expiration time of PHP session?

M66 2025-06-06

In PHP, Session is a common mechanism to realize functions such as user identity identification and data retention. By default, the life cycle and expiration time of the Session are controlled by the server's configuration file (such as php.ini ), but we can also customize the Session life cycle through the relevant settings before session_start() .

This article will explain in detail how to set the life cycle and expiration time of the Session through session_start() , as well as related precautions.

1. Understand Session Lifecycle and Expiration Time

The Session life cycle consists of two parts:

Expiration time of client cookies : Whether the Session ID is still retained after the browser is closed.
The storage time of the server Session data : that is, the survival cycle of the session data stored on the server.

Both need to be properly set up to achieve the Session lifecycle you expect.

2. Set the key functions of the Session life cycle

Before calling session_start() , you can set the Session lifecycle using the following two functions:

session_set_cookie_params() : Sets the expiration time of the client cookie.
ini_set('session.gc_maxlifetime', seconds) : Set the maximum survival time of the server Session data.

3. Sample code

Here is an example of setting the Session lifecycle to 1 hour (3600 seconds):

<code> <?php // Set the server-side Session life cycle to 1 hour ini_set('session.gc_maxlifetime', 3600);

// Set the client cookie life cycle to 1 hour
session_set_cookie_params([
'lifetime' => 3600,
'path' => '/',
'domain' => 'm66.net',
'secure' => true, // Send cookies only under HTTPS (enabled as needed)
'httponly' => true, // Disable JS to access cookies to improve security
'samesite' => 'Lax' // Prevent CSRF attacks, optional values: Lax, Strict, None
]);

// Start Session
session_start();

// Set a Session variable
$_SESSION['user_id'] = 1234;
?>
</code>

illustrate:

session.gc_maxlifetime : Controls the time the server retains Session data. The default value is usually 1440 seconds (24 minutes).
The lifetime parameter of session_set_cookie_params() determines the expiration time of the client cookie. If it is 0, it means "the browser is closed and invalid".

4. Session's garbage collection mechanism

Even if gc_maxlifetime is set, PHP's garbage collection mechanism does not clear the expired session every time it requests. The probability of clearing is determined by the following configuration items:

 session.gc_probability = 1
session.gc_divisor = 100

Indicates that there is a 1% chance of performing a Session cleanup. Can be adjusted as needed.

5. Combined with actual project usage suggestions

If you are running multiple subdomains (such as api.m66.net , admin.m66.net ), it is recommended to set domain to .m66.net to achieve cross-subdomain sharing session.
When using HTTPS, be sure to set secure and httponly parameters to improve Session security.
Clean out expired Session files regularly to avoid pile up and occupying server space.

6. Conclusion

By rationally configuring session_set_cookie_params and session.gc_maxlifetime , we can flexibly control the life cycle of PHP Session and manage user status more securely and efficiently. Making these settings before calling session_start() is a key step in implementing customized session behavior.

session_start