By LeeMcL on

It appears that by default under Debian session.gc_probabiliy is set to 0 which, if I am understanding things correctly, means that sessions will never be expired by PHP itself. Debian, according to notes in /usr/share/doc/php4-common, relies on a cron job to clear out the session directory. Since Drupal keeps sessions in a database they stay around forever.

I think the best solution is to make it probable that sessions will be expired by adding the following to your site settings file
(in my case sites/default/settings.php around line 112):

ini_set('session.gc_probability',   1);
ini_set('session.gc_divisor',   100);

This means there will be a 1 in 100 chance that a garbage collection run, of all sessions on this machine, will happen on session initialisation. This area of PHP is a bit complex and its best to read the documentation that user.module points you to:
PHP Session Handling

Just in case it is relevant I have a almost untouched installation of Debian 3.1, just the usual local customisations and extra security, and I'm using the default settings for both Apache/2.0.54 and PHP/4.3.10-16. I've added some local websites, but they are very simple.

For the site I am working on I really need a more certain automatic logout of inactive users. I've had a good hunt around on the forums here but to no avail so it looks like I'm going to be doing some coding!

Lee

Comments

quicksketch’s picture

quicksketch
he/him
commented

This was finally fixed in Drupal 7 by manually configuring these options in settings.php. See http://drupal.org/node/72856#comment-1774258

/**
 * Some distributions of Linux (most notably Debian) ship their PHP
 * installations with garbage collection (gc) disabled. Since Drupal depends on
 * PHP's garbage collection for clearing sessions, ensure that garbage
 * collection occurs by using the most common settings.
 */
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);