Tuesday, September 27, 2011

Session garbage collection in PHP

Category: SkyHi @ Tuesday, September 27, 2011
Many of us are using the 'LAMP' system (Linux, Apache, Mysql, and PHP) for web development. Session is usually used by websites to keep track of various user related information across some period of time. PHP provides session garbage collection mechanism that ensures old unused sessions to be cleared regularly. This will help to prevent performance degrade due to filling up of session data and to reduce the risk of session hijacking as well.
The parameters that control this garbage collection process are session.gc_maxlifetime, session.gc_probability, and session.gc_divisor in the PHP configuration file php.ini. session.gc_maxlifetime defines the number of seconds to be elapsed before session data is seen as garbage and cleaned up by the garbage collection process. It represents the minimum amount of time that garbage collection allows an inactive session to exist. session.gc_probability and session.gc_divisor define the probability that the garbage collection process is run on every session initialization. For example, if session.gc_probablility is set to 1 and session.gc_divisor is set to 100, then the probability of 0.01 (= session.gc_probability / session.gc_divisor) indicates that there is a 1% chance that the garbage collection process runs on each session initialization request. Setting the probability too high will add unnecessary processing load on the server whereas setting it too low may cause server performance to degrade due to large amount of stored session data (whether needed or not) and increase the risk of user reconnecting to an old unwanted session as well (whether maliciously or not).
In Drupal, the settings.php file uses ini_set('session.gc_maxlifetime', 200000) as its default configuration. You can modify this value together with some other parameters (eg. session.cache_expire, session.cache_limiter, session.cookie_lifetime) to suit the particular needs of your website. One thing you might not have noticed is that in the Debian/Ubuntu distro, by default PHP disables its session garbage collection mechanism (eg. the default php.ini contains the line ;session.gc_probability = 0 in Ubuntu). Instead, it runs a cron job every half hour (see the script /etc/cron.d/php5) to purge session files in the /var/lib/php5/ directory. In most cases, this doesn't do the session cleanup job for us as session data may not be saved in files under the /var/lib/php5/ directory (like in Drupal). Thus by default PHP session garbage collection does not run in Debian/Ubuntu as many may expect. To solve this, you can modify the php.ini file by adding the line session.gc_probability = 1 there. In Drupal, you can also change the settings.php file and add lines such as:

ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);

In Drupal, you can make use of the session expire module (http://drupal.org/project/session_expire) as well to trim the sessions table regularly.

REFERENCES
http://www.appnovation.com/session-garbage-collection-php