php manually session.gc_maxlifetime under Linux (Debian,Ubuntu) ignored. How to set alternative?

Question

My Problem is quickly described by the need to extend the session data life over it's default settings within the php.ini without changing the php.ini. I am looking for a solution that can be applied to a number of different php setups across server platforms so there is no need for the script to be changed for every install.

Since I don't want to change defaults on my server and want to stay as independent as possible with my script I am looking for a way to exceed the default 1440 seconds that are set for the garbage collector to dispose of my session data prematurely. Simply setting ini_set('session.gc_maxlifetime',36000); to 10 hours will not work as on some servers the GC will run unaffected by php's settings and delete my sessions after 24min anyway as described here. To get around this problem the author suggests to change the session.save_path to another folder unaffected by the os's gc and thereby enforcing the set session.gc_maxlifetime to my settings. Unfortunately I was unable to create a temp folder within php's tmp space and though I like to I don't seem to be able to since I don't have 0600 access on most servers.

One solution would be to link my session data to my own folder created right in my shared host folder but that seems insecure as this folder must then be available online and therefor exposed to possible id theft. Though I do not know whether that is the case.

Another solution would be to include $_SESSION["stayalaive"]=time(); since the gc only deletes sessions untouched for the specific amount of time to the login script so that the session will be extended every time the login script is called though that means if the user does not click anything for 24min the session will be deleted anyway which is something I could possibly live with but it also seems to put on another process that seems unnecessary.

So my question is how to set up my session data to stay alive for 10 hours without clocking too much performance for it.

Answer 1

I have used php.ini directives inside scripts before and besides you can make directories inside your hosting reserved space.

So (at the very beginning of your script) this must be work, no doubt:

<?php

    // obtain current directory
    $APPPATH = dirname(__FILE__); 

    if ( ! file_exists($APPPATH . '/tmp/sessions'))
    {
        mkdir($APPPATH . '/tmp/sessions', 0700, TRUE);
    }

    ini_set('session.save_path', $APPPATH . '/tmp/sessions');
    ini_set('session.gc_maxlifetime', 36000);
    session_start();

?>

Both directives have PHP_INI_ALL changeable mode, so can be set inside scripts.

Answer 2

Any webhost worth their salt will give you a directory above your public_html (or whatever) folder. If yours does, then you can create a directory for sessions there, and it won't be accessible from the web.

If your hosting is so crappy that anything you're allowed to touch via FTP/SSH/whatever is also available via HTTP, things are more annoying.

So assuming you have a crappy host, here are a few ideas:

1) Store sessions inside your web root, and use .htaccess to make it non-browsable.

2) Store session data in the database.

Either of those options should enable you to set your own garbage-collection rules via ini-set(), and avoid having other processes clobber your sessions.