Why is the standard session lifetime 24 minutes (1440 seconds)?

php security session

34,651

The real answer is probably very close to this:

Back during PHP3 days, PHP itself had no session support.

But an open-source library called PHPLIB, initially written by Boris Erdmann and Kristian Koehntopp from NetUSE AG, provided sessions via PHP3 code.

Session lifetimes were defined in minutes, not seconds. And the default lifetime was 1440 minutes, or exactly one day. Here's that line of code from PHPLIB:

var $gc_time  = 1440;       ## Purge all session data older than 1440 minutes.

Sascha Schumann was involved with the PHPLIB project around the period of 1998 to 2000. There's no doubt he was familiar with the PHP3 session code.

Then PHP4 came out in the year 2000 with native session support, but now the lifetime was specified in seconds.

I'll bet someone just never bothered converting minutes to seconds. It's probable that person was Sascha Schumann. Once that value was coded into the Zend engine, it became the configuration (php.ini) default as well.

34,651

Anna Völkl

Lead Magento Developer @ E-CONOMIX Magento Master (Mentor) 2016, 2017 and 2018 Magento Certified Solution Specialist Magento Certified Developer Magento Certified Frontend Developer Magento 2 Certified Solution Specialist PHP Developer since 2004 co-organizer of MageStackDay co-organizer of the Magento Meetup Austria more: https://anna.voelkl.at

Updated on July 08, 2022

Comments

Anna Völkl almost 2 years

I've been doing some research on PHP Session Handling and came across the session.gc_maxlifetime value of 1440 seconds. I've been wondering why the standard value is 1440 and how it is calculated? What is the basis for this calculation?

How long does it make sense to keep sessions? What min/max values for session.gc_maxlifetime would you recommend? The higher the value, the more vulnerable the Web-App is for Session Hijacking, I'd say.
- Praveen Kumar Purushothaman over 11 years
  
  +1 Nice question. Something related to, 60 x 12 x 2... Lets wait for interesting answers... :)
- Álvaro González over 11 years
  
  Here's the source code line where default value is set. Those familiar with GIT may be able to track its history and maybe find a RFC or bug ticket (if any).
- Anil Namde over 11 years
  
  stackoverflow.com/questions/156712/… might help some earlier discussion done on this
- Anna Völkl over 11 years
  
  @Anil: This discussion does not answer my question.
- Dai over 11 years
  
  @ÁlvaroG.Vicario I found the change: github.com/php/php-src/commit/… however there is zero relevant associated documentation. 1440 was indeed the original number of minutes for the timeout, so I guess we'll never know unless someone tracks down Sascha Schumann.
- Dai over 11 years
  
  I found Sascha's email address and contacted him about this, I'll let people know if he responds.
- Dennis about 4 years
  
  Why didn't Sascha respond!?
Félix Adriyel Gagnon-Grenier almost 10 years

so why is it the standard session lifetime?
dimitar veselinov about 9 years

Because its a math nerd number thats approximately the same as what research shows is the largest time between two request in the same session (20-30 minutes).
Markus Malkusch about 8 years

It strikes to one's eyes that 24 gets a special meaning when changing the unit. So out of the given answers yours makes the most sense to me.
Markus Malkusch about 8 years

@dimitarveselinov Which research?
SysVoid about 8 years

That's interesting. Thanks for sharing! :)
Anna Völkl about 8 years

This is really interesting! Thanks!
CXJ almost 7 years

One reference to PHP4 default settings: github.com/php/php-src/blob/PHP-4.0/ext/session/session.c
dr_hanns about 5 years

According to PHP documentation the session lifetime is set in seconds: php.net/manual/en/…