I just went through a two week long troubleshooting process to try and find the cause of sessions timing out earlier than expected. My PHP session config is as follows, and should definitely be the first place you look for an issue like this:
This indicates that cookies should expire only after the browser closes, not after a given timeframe (cookie_lifetime 0) and that when the session is inactive (the user left the browser window opened and logged in) it should take roughly 9.7 hours (3500 seconds) before a time out with a 0.1% chance (gc_probability/gc_divisor) of a timeout occurring in that timeframe.
Yet my sessions were still timing out after about an hour.
After much hunting around I finally found the Plesk utility called maxlifetime located at /usr/lib64/plesk-9.0/ which is called every hour by this cron script: /etc/cron.hourly/plesk-php-cleanuper
The maxlifetime script scans for all existing php.ini files, finds the session.gc_maxlifetime value that is the largest configured value, then uses it to determine when to actually clear out old sessions from the session directory (/var/lib/php/session).
The problem is that maxlifetime does not account for custom PHP configuration values defined per-domain.
This means that even if you’ve configured session.gc_maxlifetime to be longer than 1 hour for any given domain within Plesk, it will still have its session files cleared somewhere between the default of 24 minutes and 60 minutes. (The range is variable because it depends on the differential between when the session was created and when the cron script runs, which is hourly by default due to its location in /etc/cron.hourly).
Run the following in shell to set the default php.ini file in the system to have its maxlifetime value = 24 hours.
sed -i '/^session.gc_maxlifetime = 1440/s/1440/86400/' /etc/php.ini
This is better than disabling or removing the script entirely because there can be performance issues with having too many old session files. It also means that you’ll be able to set timeout values greater than 24 minutes and shorter than 1 day that are still effective. If you want sessions that last longer than a day, you can multiply the number 86400 by the number of days that you want the sessions to survive.
You can check out our report on this issue in the Plesk forums here.