I've been doing some research on PHP Session Handling and came across the session.gc_maxlifetime
value of 1440 seconds.
I've been wondering why the standard value is 1440 and how it is calculated?
What is the basis for this calculation?
How long does it make sense to keep sessions? What min/max values for session.gc_maxlifetime would you recommend?
The higher the value, the more vulnerable the Web-App is for Session Hijacking, I'd say.
The real answer is probably very close to this:
Back during PHP3 days, PHP itself had no session support.
But an open-source library called PHPLIB, initially written by Boris Erdmann and Kristian Koehntopp from NetUSE AG, provided sessions via PHP3 code.
Session lifetimes were defined in minutes, not seconds. And the default lifetime was 1440 minutes, or exactly one day. Here's that line of code from PHPLIB:
var $gc_time = 1440; ## Purge all session data older than 1440 minutes.
Sascha Schumann was involved with the PHPLIB project around the period of 1998 to 2000. There's no doubt he was familiar with the PHP3 session code.
Then PHP4 came out in the year 2000 with native session support, but now the lifetime was specified in seconds.
I'll bet someone just never bothered converting minutes to seconds. It's probable that person was Sascha Schumann. Once that value was coded into the Zend engine, it became the configuration (php.ini
) default as well.
1440 is used in a time calculation turning seconds into hours/days.
- 1 day = 24 hours ( hours * 24 = 1 day )
- day = 1440 minutes ( minutes * 60 * 24 = 1 day )
- day = 86400 seconds ( seconds * 60 * 1440 = 1 day )
Example:
9 days [* 60] = 540 [* 1440] = 777600 seconds
The same is true in reverse:
777600 seconds [/ 1440] = 540 [/ 60] = 9 days