The php.ini file – Configuring Sessions in your Application

I mentioned in the last post that there are over 11 different variables in the php.ini file to use to configure how PHP uses sessions in your application.  I thought a post you could use as a reference to help you configure the session portion of your php.ini file might be helpful.

The first problem you'll encounter though is that there is more than one php.ini file on your computer.  Hmmm...Which one do you use?  On my windows system, I did a search for all the php.ini files on my computer and came up with 23 php.ini files.  What's going on?  As I looked over the list, I realized that most of these came from back ups of my previous development efforts.  Since I use the WAMP local development server on my windows system.  WAMP stands for Windows, Apache, MySQL, and PHP.  I limited my search on those php.ini files in the WAMP directory.  This cut the list down to two, one in the php directory and one in the apache\bin directory.  The reason for two is that the Apache php.ini file should be used when you are getting ready to deploy your system it is used for better performance and security, while the php.ini in the php directory is used during development and allows for more verbose error messages.  Since we want to configure how php handles sessions, and my applications need to deploy properly, I usually just configure the Apache php.ini file.

If you open the php,ini file in a text editor, you'll find a text file that has comments, interspersed with variables starting with a semicolon. The semicolons in front of variables means ignore this variable. To make a variable active, you remove the semicolon.

The php.ini file is fairly long.  If you have line numbers turned on in your text editor, the end of the file comes in at about 1885 lines.  Somewhere around line 1435 will start a long list of variable starting with the word "session." , I counted 24 specific session variables, you can configure.   I was off a bit on the number, let's go through them.

The default variables, are the ones with no semicolon in front of the variable.  Most of these are standard and do not need to be changed.  For example, the WAMP default save path, stored in "session.save_path" is where all session files are stored. The default is "c:\wamp\tmp". If you look in that directory, you'll see past session files. These are dense text files you can view with a text editor, and this is how session information and session  variables are stored and used from page to page.

"session.use_cookies = 1" tells php to use cookies to store the session ID, see my previous post for a description of session ID.  If cookies are turned off on a user's computer, the session ID is transmitted in the URL, like with a GET form method.  This make the session ID public in the URL.  You can tell php not to do this by setting "session.use_only_cookies = 1"  This is the default. Later in the php.ini file you'll fine "session.use_trans_sid" which tells PHP to detect browsers with cookies disabled and use the GET URL.  The default here is also off or 0.

"session.auto_start = 0" tells php to not to start a session when the
user first accesses the server.  A "1' would start a session automatically.  The default is off.  You'd think you'd want to start sessions automatically when a user goes to your web site, but I prefer not to autostart sessions, because later when we pass objects you'll find that classes need to be defined before you can pass an object in a session.  If you autostart the session, nothing is defined before the session starts, and objects cannot be passed.  This could give you nightmares trying to figure why your application isn't working, much more later.

With a lot of these variables, the default is fine.  There are a series of variables used by the setcookie funcion, which let you control the use of the cookie with sessions.  These include session.cookie_lifetime, session.cookie_path, session.cookie_domain, and session.cookie_httponly.  You can restrict cookie use to certain domains for example, the default is cookies can be used on all domains.

session.gc_probability, and session.gc_divisor: PHP has garbage collection it uses to clean up sessions that have expired, otherwise on a site with a lot of users accessing the site could cause a huge amount of session files to be continually generated.  The default is fine. Garbage collection does not happen automatically and needs to be incorporated into your system maintenance routines.

This bring us to "session.gc_maxlifetime = 1440"  This is the lifetime of your session in seconds before the file will be marked for deletion.   PHP cleans out the file as part of its garbage collection.  The default is 24 minutes.  If users are on your site longer selecting items for there shopping cart, for example, you want to make this number larger.

The next series of variables concern with security and using sessions as a global variable, which is bad for the application and security.  These variables,  session.bug_compat_42, session.bug_compat_warn, session.referer_check, session.entropy_length, and session.entropy_file, change from release to release in PHP as PHP gets more secure, and should not be changed.

Browsers cache web pages to improve performance, for security reasons you want to limit page caching with sessions, since page caching can make your session information public, you want to limit browser page caching on pages with sensitive information.  This is controlled with  "session.cache_limiter" and "session.cache_expire."  I encourage you to use "nocache" which is the default, which will turn off page caching on pages with session information.

The last session variables, "session.hash_function, and session.hash_bits_per_character" concern how the session ID is generated.  The defaults settings are already robust, leave them alone.  That's about it for configuring sessions in the php.ini file.

Comments are closed.