2. Session timeout

Created Monday 02 December 2013




" ...
One thing you might not have noticed is that in the Debian/Ubuntu distro, by default PHP disables its session garbage collection mechanism

(eg. the default php.ini contains the line ;session.gc_probability = 0 in Ubuntu).

Instead, it runs a cron job every half hour (see the script /etc/cron.d/php5) to purge session files in the /var/lib/php5/ directory. In most cases, this doesn't do the session cleanup job for us as session data may not be saved in files under the /var/lib/php5/ directory (like in Drupal). Thus by default PHP session garbage collection does not run in Debian/Ubuntu as many may expect.
- See more at: http://www.appnovation.com/session-garbage-collection-php#sthash.h75pNVp8.dpuf
... "


" ...
Edit the file /usr/lib/php5/maxlifetime

The value should be in seconds. This file will actually also check your php.ini
... "

09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
09,39 - run every 9th and 39th minute, thus every 30 minutes

-x - file has execute permission
-d - file is a directory

Man page
find -depth - Process each directory's contents before the directory itself. The -delete action also implies -depth.
find -mindepth levels - Do not apply any tests or actions at levels less than levels (a non-negative integer). -mindepth 1 means process all files except the command line arguments.
find -maxdepth levels - Descend at most levels (a non-negative integer) levels of directories below the command line arguments. -maxdepth 0 means only apply the tests and actions to the command line arguments.
find -type f - regular file
find -cmin n - File's status was last changed n minutes ago.
find ! expr True if expr is false. This character will also usually need protection from interpretation by the shell.
-exec command ;
Execute command; true if 0 status is returned. All following arguments to find are taken to be arguments to the command until an argument consisting of `;' is encountered. The string `{}' is replaced by the current file name being processed everywhere it occurs in the arguments to the command, not just in arguments where it is alone, as in some versions of find. Both of these constructions might need to be escaped (with a `\') or quoted to protect them from expansion by the shell. See the EXAMPLES section for examples of the use of the -exec option. The specified command is run once for each matched file. The command is executed in the starting directory. There are unavoidable security problems surrounding use of the -exec action; you should use the -execdir option instead.

-exec command {} +
This variant of the -exec action runs the specified command on the selected files, but the command line is built by appending each selected file name at the end; the total number of invocations of the command will be much less than the number of matched files. The command line is built in much the same way that xargs builds its command lines. Only one instance of `{}' is allowed within the command. The command is executed in the starting directory.
-execdir command ;

-execdir command {} +
Like -exec, but the specified command is run from the subdirectory containing the matched file, which is not normally the directory in which you started find. This a much more secure method for invoking commands, as it avoids race conditions during resolution of the paths to the matched files. As with the -exec action, the `+' form of -execdir will build a command line to process more than one matched file, but any given invocation of command will only list files that exist in the same subdirectory. If you use this option, you must ensure that your $PATH environment variable does not reference `.'; otherwise, an attacker can run any commands they like by leaving an appropriately-named file in a directory in which you will run -execdir. The same applies to having entries in $PATH which are empty or which are not absolute directory names.

fuser - identify processes using files or sockets
fuser displays the PIDs of processes using the specified files or file systems.
fuser -s - Silent operation. -u and -v are ignored in this mode. -a must not be used with -s.

The > operator redirects the output usually to a file but it can be to a device. You can also use >> to append.

If you don't specify a number then the standard output stream is assumed but you can also redirect errors

> file redirects stdout to file
1> file redirects stdout to file
2> file redirects stderr to file
&> file redirects stdout and stderr to file

/dev/null is the null device it takes any input you want and throws it away. It can be used to suppress any output.

find -delete - Delete files; true if removal succeeded. If the removal failed, an error message is issued. If -delete fails, find's exit status will be nonzero (when it eventually exits). Use of -delete automatically turns on the -depth option.

find +$(/usr/lib/php5/maxlifetime) - greater than a number returned by $(...) expression

#!/bin/sh -e


if which php5 >/dev/null 2>&1; then
for sapi in apache2 apache2filter cgi fpm; do
if [ -e /etc/php5/${sapi}/php.ini ]; then
cur=$(php5 -c /etc/php5/${sapi}/php.ini -d "error_reporting='~E_ALL'" -r 'print ini_get("session.gc_maxlifetime");')
[ -z "$cur" ] && cur=0
[ "$cur" -gt "$max" ] && max=$cur
for ini in /etc/php5/*/php.ini /etc/php5/conf.d/*.ini; do
cur=$(sed -n -e 's/^:space:*session.gc_maxlifetime:space:*=:space:*\([0-9]\+\).*$/\1/p' $ini 2>/dev/null || true);
[ -z "$cur" ] && cur=0
[ "$cur" -gt "$max" ] && max=$cur

echo $(($max/60))

exit 0

Man page
which filename - returns the pathnames of the files (or links) which would be executed in the current environment, had its arguments been given as commands in a strictly POSIX-conformant shell. It does this by searching the PATH for executable files matching the names of the arguments. It does not follow symbolic links.
which php5 - returned /usr/bin/php5

1 is stdout. 2 is stderr.

Here is one way to remember this construct (altough it is not entirely accurate): at first, 2>1 may look like a good way to redirect stderr to stdout. However, it will actually be interpreted as "redirect stderr to a file named 1". & indicates that what follows is a file descriptor and not a filename. So the construct becomes: 2>&1.

Man page
php5 -c path|file Look for php.ini file in the directory path or use the specified file
php5 -d foo[=bar] - Define INI entry foo with value bar
php5 -r code - Run PHP code without using script tags '<?..?>'

string ini_get (string $varname) - Returns the value of the configuration option on success.

[ -z string ] - true if string has zero length