(PHP 7 >= 7.1.0, PHP 8)
session_gc — Perform session data garbage collection
By default, PHP uses session.gc_probability to run the session garbage collector probabilistically on each request. There are some limitations with this approach:
For production systems, it is recommended to disable the
probability-based garbage collection by setting
session.gc_probability to 0
and explicitly trigger the garbage collector periodically, for example by using "cron" on
UNIX-like systems to run a script that calls session_gc().
Note: When calling session_gc() from a command-line php script, the session.save_path must be set to the same value as web requests, and the script must have access and delete permissions for the session files. This may be affected by the user the script runs as, and container or sandboxing features such as systemd's
PrivateTmp=option.
This function has no parameters.
session_gc() returns the number of deleted session
entries on success, or false on failure.
Note: Old session save handlers do not return the number of deleted session entries, but rather only a success/failure flag. If this is the case,
1is returned regardless of how many session entries are actually deleted.
Example #1 session_gc() example for task managers like cron
<?php
// Note: This script should be executed by the same user of web server process.
// Need active session to initialize session data storage access.
session_start();
// Executes GC immediately
session_gc();
// Clean up session ID created by session_start()
session_destroy();
?>Example #2 session_gc() example for user accessible script
<?php
// Note: session_gc() is recommended to be used by a task manager script, but
// it may be used as follows.
// Used for last GC time check
$gc_time = '/tmp/php_session_last_gc';
$gc_period = 1800;
session_start();
// Execute GC only when GC period elapsed.
// i.e. Calling session_gc() every request is waste of resources.
if (file_exists($gc_time)) {
if (filemtime($gc_time) < time() - $gc_period) {
session_gc();
touch($gc_time);
}
} else {
touch($gc_time);
}
?>Do not use:
if (session_gc() == false)
OR
if (!session_gc())
to evaluate if the garbage collector was triggered successfully since it also returns how many sessions it deleted, which can be 0 (and that evaluates to false with loose operators).
Sounds dumb, but it's a pitfall i fell into and it generated some confusion. Instead, use strict operator "===":
if (session_gc() === false)The session.gc() function does not seem to work alone. it deletes the data on the server but the data remains on the browser in the form of the cookie. the following code deletes the session files on the server but not on the browser.
ini_set('session.gc_maxlifetime', 10);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);
// Start the session
session_start();
$_SESSION['test'] = 'temporary data';
session_write_close();
// Wait for 15 seconds to ensure the session expires
sleep(15);
// Manually start the session again to trigger session handling
session_start();
session_gc();
// Check if the session data is still available
if (isset($_SESSION['test'])) {
echo "Session is still active.";
} else {
echo "Session expired and file deleted.";
}
but this code delete the session files on the server and also deletes the cookie as well as making the super global empty:
session_start();
$_SESSION['test'] = 'temporary data';
session_write_close();
// Wait for 15 seconds to ensure the session expires
sleep(15);
session_start();
// Manually trigger garbage collection
setcookie(session_name(), '', time() - 10);
$_SESSION = [];
session_gc();
// Check if the session data is still available
if (isset($_SESSION['test'])) {
echo "Session is still active.";
} else {
echo "Session expired and file deleted.";
}