Session expiration is not an exact measurement.

Sessions are not expired immediately after the max lifetime is reached. What happens is after that amount of time has passed the session is then available to be removed by the garbage collector.

The garbage collector uses the following settings to determine when to run session.gc_probability and session.gc_divisor.

On each request it checks if the garbage collector should run using (gc_probability / gc_divisor) = chance to run. So if gc_probability is 1 and gc_divisor is 100 each request will have a 1% change to trigger the garbage collection.

When the garbage collection is triggered it removes all sessions that are older than the gc_maxlifetime.

If a request tries to use a session that is past the gc_maxlifetime but not yet removed by the garbage collector it will work and load the session even though it is past the gc_maxlifetime.

There is also the session.cookie_lifetime which controls when the session cookie expires.

Session Documentation http://www.php.net/manual/en/session.configuration.php

spekkionu said:

Session expiration is not an exact measurement.

...

Ok, thanks for the info.

With all that said, are you saying there's no real way of knowing whether or not a session is actually expired even if you know how long a session is supposed to be?

I'd like to show the expired session message if possible, but there's not a lot of point doing that if I show a message while a session is still active and usable.

I think to do that you would need to remove the session yourself. IE after a certain time has passed send an ajax request to log the user out.

I guess you could also send an ajax request that checks if the session is still valid before showing the message but that would reset the timer if it was still valid.

Five minutes is a pretty short timeout.
I don't even think my bank logs me out that quickly. You might end up annoying users if they keep having to log in while using the site.

spekkionu said:

I think to do that you would need to remove the session yourself. IE after a certain time has passed send an ajax request to log the user out.

I guess you could also send an ajax request that checks if the session is still valid before showing the message but that would reset the timer if it was still valid.

Yes, the AJAX request resetting the idle timer is what I was struggling with up until now.

Five minutes is a pretty short timeout.
I don't even think my bank logs me out that quickly. You might end up annoying users if they keep having to log in while using the site.

The 5 minute timeout is during dev only - the live site will be set to a realistic interval.

I guess the only valid timer is client-side so that it doesn't reset the timer, or something flashy with Node.js maybe (although that's well beyond my ability right now).