Okay, here's the 100-foot view of PHP's sessions.
When a user points his browser to your site for the first time, when session_start() is invoked in the code, PHP generates a unique id then sets a cookie on the client. The name of that cookie is the value of session.name, the value of that cookie will be the unique id, and the expiration of that cookie will be the current time plus the value of session.cookie_lifetime.
When the script stops executing, PHP creates a file in the directory set by the value of session.save_path. The name of the file will be "session_" concatenated with the unique id. PHP writes to that file the serialized version of $_SESSION.
When that user hits other scripts in your site and those scripts invoke session_start(), PHP takes the id from the session cookie and looks in the session store to find the file associated with this user's session variables. It prepends "session_" to the unique id in the session cookie, reads the file, and deserializes the values in the file into $_SESSION.
When the session cookie expires in the browser, either by shutting down the browser (using cookies with no expiration) or by the time passing (using cookies with explicit expirations), the browser does not send the cookie back to PHP. If PHP does not receive the session cookie back, it cannot know which session store file to open. The session variables for that user are no longer available.
Every time a script invokes session_start(), PHP checks the values of session.gc_probability and session.gc_divisor. Basically it divides session.gc_probability by session.gc_divisor, generates a random number, and compares that number to the result of the division. If the random number is less than the result of the division, PHP fires off its garbage-collection mechanism.
When PHP's garbabe-collection mechanism operates, it compares the age of every session store file to the system clock and the value of session.gc_maxlifetime. If the file is older than the current time minus the value of session.gc_maxlifetime, then the garbage-collection mechanism deletes the file. Even if the user's browser provides a PHP session id to the script, the session variable store is gone, so the values are gone, too.
As scripts keep using sessions, the session file is refreshed at the end of each script run, so the file date on the file is being updated. This, I think, does not happen with cookies -- I believe that once PHP has received a session id cookie from the client browser, it does not change settings on the expiration of the cookie.
As far as where you can set PHP's session-handling configuration directives, the PHP online manual states (at
that all session configuration directives but one can be changes in any of php.ini, httpd.conf, .htaccess files, or in user code using ini_set() (
The exception is session.use_trans_sid, which can only be set in php.ini, httpd.conf, and .htaccess. (This is all described in the table at
. For information on what PHP_INI_ALL, etc., mean, look in the table at the bottom of
)
Want the best answers? Ask the best questions: TANSTAAFL!!