1. Session timeout problem
There is a nuance we found with session timing out although the user is still active in the session. The problem has to do with never modifying the session variable.
The GC will clear the session data files based on their last modification time. Thus if you never modify the session, you simply read from it, then the GC will eventually clean up.
To prevent this you need to ensure that your session is modified within the GC delete time. You can accomplish this like below.
if(!isset($_SESSION["last_access"]) || (time() - $_SESSION["last_access"]) >= 60) {
$_SESSION["last_access"] = time();
}
This will update the session every 60s to ensure that the modification date is altered.
2. Session across various domains
Variations from Http://, Https:// and http://www. will throw off session data. If you want to share session across different subdomains, you can refer to Using PHP sessions across subdomains.
3. session.cookie_lifetime
When setting the session.cookie_lifetime directive in a .htaccess use string format like;
php_value session.cookie_lifetime "123456"
but not
php_value session.cookie_lifetime 123456
Using an integer as stated above dit not work in my case (Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g)
4. session_destroy()
Remember that session_destroy() does not unset $_SESSION at the moment it is executed. $_SESSION is unset when the current script has stopped running.
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
Note the data associated with $_SESSION will be deleted but the $_SESSION value itself will not be removed. See here for more details.
Note: This is a summarized article which uses the resource provided by visitors of PHP manual. The reference site is http://php.net/manual/en/manual.php
