Session Expiration in Drupal
I’ve spent a significant amount of time researching session expiration in Drupal.
It turns out that by default Drupal sessions a session of 23 days. You can configure the session to expire at a shorter interval and you can configure Drupal to expire the session when the browser closes.
In addition, there is a module called Session_Expire, which pushes the cleanup of the sessions table in the database to the core Drupal cron job instead of relying on PHP garbage collection of your particular operating system which can vary.
Here’s the details of what I changed in one Drupal 6 setup. There is a whole section on sessions which are stored in /sites/default/settings.php.
/* ini_set('session.cookie_lifetime', 2000000); default 23 days */ /* expire session on browser close */ ini_set('session.cookie_lifetime', 0); /* ini_set('session.gc_maxlifetime', 200000); default 23 days */ /* session expires after 1 hour (without closing browser) */ ini_set('session.gc_maxlifetime', 3600); /* The following two lines collect garbage, this is done with session_expire module. In Drupal 7 they will be handled here ini_set('session.gc_probability', 1); ini_set('session.gc_divisor', 1); */
It doesn’t seem that there is much information out there on how this works, so I thought I would share my findings.
Also, as noted in the last comment I included from my settings.php, this is handled better in Drupal 7.