How the PHP session garbage collector really works

Sessions in PHP are easy to handle, but have a tricky configuration underneath. The common opinion is, that when you close your browser, the session is gone. Actually, it’s a little bit more complicated: Have a look on these 3 lines in your php.ini:

session.gc_maxlifetime = 3600
session.gc_probability = 1
session.gc_divisor = 1000

session.gc_maxlifetime says: 3600 seconds (1 hour) after session initialization, PHP will mark this session as “outdated” and flag it as “ready to delete”. The session still exists after 1 hour! But it’s not deleted. The deletion process of all outdated and ready-to-delete file is called “garbage collection” (process), and it’s triggered – with a specific probability – when another user comes to your page and PHP has to compile something. This probability is calculated by session.gc_probability divided by session.gc_divisor. Yeah, a little bit weird, but the people behind PHP have thought about this, and there are reasons for this behaviour.

Have a look on this excellent answer on StackOverflow to read more about this topic: How do I expire a PHP session after 30 minutes?. So in general it means, that when you close your browser and open it again, and are still logged in, it has to do with PHP’s session gargabe collector process. This might happen quite often on low-traffic sites or while you are developing locally.

This article was written quite a while ago (6 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.