Hi, On Mon, 21 Aug 2006 23:26:18 -0400, in php.internals [EMAIL PROTECTED] (Robert Cummings) wrote:
>> I believe that it is more easy and nice for a web developer to discard >> a session in a system with a high gc_maxlifetime than to keep a >> session alive (e.g. having the page access a php resource every couple >> of minutes using javascript). > >The short duration is to help ensure better privacy. It means that if >you leave a computer and forget to close down the browser then snoopy >people only have 24 minutes to access anything you left behind. That value still seem pretty arbitrary. As mentioned, it would be much more easy for a developer to discard specific session variables after a shorter period of time than by extending this period. Far from all session data is private data and don't have to be nuked after 24 minutes. The developer could also distinguish between sensitive- and non-sensitive-data and discard a few session variables instead of nuking every data in the current session. The method of extending the timeout is also pretty cumbersome and pretty much a hack. One would have the pages to perform background requests as a form of keepalive requests. >24 minutes is probably some value that lies between irritatingly quick >session expiry and overly long session lifespans -- at least for a >default value. I would disagree. I don't think that the default value of 1440 seconds was set because of this - I simply think it was meant to be one day in the first place. I believe that a value of half a day or a day is more sensible. At least I have experienced a couple of incidents, where I or some of my users have used more than 24 minutes between pages. As well as other parts of PHP the application should handle security, including reasonable timeout values for different tasks. The garbage collection is a safety valve (as with any other garbage collection). Summarized: A higher default gc_maxlifetime would benefit: + Fewer strange session expiration incidents (with non-private data) + Easier for the administrator to maintain his own timeout value (above 24 minutes) without resolving to keepalive-hacks ! Security handling should, where possible, be performed by the code. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
