PHP Session does not expire on closing browser

Hi all,

I am a beginner PHP programmer and I have a nagging Session question.
In a script where I use a session, I noticed my session never expires when I close a browser without explicitly logging out. All the text books I have read states that the session is temporary and it will destroy on closing browser. And that is one of the difference between Cookies and Sessions.
I haven’t changed my default configuration so it is set as session.cookie_lifetime=0 and session.gc_maxlifetime=1440.
I thought if session.cookie_lifetime is set to zero, the session should expire when a user close the browser.

I tried my session with firefox, safari, opera, and IE. Every browser behaves the same way. THE SESSION NEVER EXPIRES! It doesn’t expire even after I come back to the page after 24 hours.

I can destroy a session using unset() but what happens if a user forgot to logout and just closed a browser? A next user will see the same page the previous user worked on. What am I doing wrong?

Any explanation will be appreciated.

Settings session.cookie_lifetime=0 (0 by default) should be enough in php.ini
If you don’t have access to php.ini, you need to use ini_set().
Be sure to call ini_set() before starting a session.
If you’ve done that, be sure to clear your browser history and cookies, close the browser and try again.
If that doesn’t work, check your history settings to see if authenticated sessions should be remembered after closing the browser.
With closing the browser, I mean all browser windows, not just the one window.

Sessions can still exist after 24h, even with session.gc_maxlifetime is set to 1440.
The session garbage collection depends on session.gc_maxlifetime, session.gc_probability, session.gc_divisor and session.save_path.

Let’s assume session.gc_probability=5 and session.gc_divisor=200.
In this case PHP generates a random number between 0 and 200, and generates 5 other random numbers to compare to the first generated number.
If one of those 5 random numbers is equal to the first generated number, the garbage collector will run.
The garbage collector then searches for all sessions that have not been accessed in the last 1440 seconds and removes them from the directory set in session.save_path (or the path used by your session save handler).

When all session files are stored in the same directory, and using different gc_maxlifetimes, you’ll see that sessions that should last 1440 seconds will regularly be removed after 100 seconds.
So use another save_path when using a custom value for gc_maxlifetime.

To remove sessions the site must have constant traffic. I assume this site is in development and you are the only user visiting it at the moment. Without PHP running every so often it can not run its garbage collector (GC). When it cannot run its GC the sessions will not expire for who knows how long.

I am using MAMP and connecting to localhost. Yes, I am the only user.
So, the phrase “The session will expire when you close a browser” does not apply to every single case as a general rule?
Right now, If I want to destroy a session without using unset(), I have to completely quit a browser application. Just closing all windows doesn’t do the job.

“Close the Browser” means to stop running all instances of that browser. Just closing a browser window isn’t closing the browser. All session cookies are stored within the browser application itself and so as long as the browser is running they will exist but as soon as you close the browser completely they have nowhere to exist and so will be gone. The session itself may still exist in that case but there is no longer a browser with a copy of that session id to reference it.