PHP Session File Cleanup: Automatic Deletion Mechanisms and Manual Management Best Practices


2 views

In a default PHP installation, session files stored in /tmp (or your configured session.save_path) are indeed subject to automatic cleanup, but the mechanism has some important nuances:


// Default PHP session configuration (php.ini)
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440  // 24 minutes

The garbage collection process runs probabilistically during session initialization. With default settings (1/100 chance), GC will:

  • Scan session files older than session.gc_maxlifetime (seconds)
  • Delete expired sessions based on their last modification time

Common reasons for session file accumulation:


// Problematic scenarios:
1. High-traffic sites with default GC probability
2. Custom session.save_path without proper permissions
3. Overridden session handlers without GC implementation
4. CRON jobs or long-running processes keeping sessions alive

For production systems, consider these enhancements:


// Recommended php.ini adjustments
session.gc_probability = 5      // More frequent cleanup
session.gc_divisor = 100
session.gc_maxlifetime = 1800   // 30 minutes expiration

// Alternative: Custom cleanup script (run via CRON)
$files = glob("/tmp/sess_*");
$now   = time();
foreach ($files as $file) {
    if (filemtime($file) < ($now - 1800)) {
        unlink($file);
    }
}

On Linux systems, the /tmp directory typically follows these rules:

  • Systemd: Clears /tmp on reboot unless configured otherwise
  • tmpwatch: Often runs daily to remove unused files (default 10-day threshold)
  • Manual cleanup: Requires caution to avoid deleting active sessions

For high-availability systems, consider these alternatives:


// Redis session handler example
session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379?timeout=2.5"

PHP session files are temporary storage mechanisms that persist user session data between HTTP requests. By default, these files are stored in the system's temporary directory (often /tmp on Linux systems). The files typically follow the naming pattern sess_[session_id].

PHP provides two primary mechanisms for session file cleanup:

// PHP.ini settings controlling session cleanup
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440  // 24 minutes default

The garbage collection process runs probabilistically based on the gc_probability/gc_divisor ratio. With default settings, there's a 1% chance the GC will run on each request.

Several scenarios can lead to session file buildup:

  • High-traffic websites generating many sessions
  • Misconfigured GC settings (probability too low or maxlifetime too high)
  • Sessions being created but never properly destroyed
  • Custom session handlers that don't implement cleanup

For systems with persistent session file issues, consider these approaches:

# Cron job to delete old session files (older than 2 days)
find /tmp -type f -name 'sess_*' -mtime +2 -delete

# Alternative PHP script solution
<?php
$session_path = ini_get('session.save_path');
array_map('unlink', glob("$session_path/sess_*"));
?>

// Always destroy sessions properly
session_start();
// ... session usage ...
session_destroy();  // Explicit cleanup

// Alternative: set shorter lifetime for specific sessions
ini_set('session.gc_maxlifetime', 3600);  // 1 hour

For high-performance systems, consider implementing a custom session handler that uses alternative storage like Redis or database.

Regularly check your session directory status:

# Count session files
ls -l /tmp | grep sess_ | wc -l

# Check total size
du -sh /tmp/sess_*