From b4bb0a674631c256e2b567de15ed658b64d2ff58 Mon Sep 17 00:00:00 2001 From: Josh Date: Sun, 8 Mar 2026 14:04:01 -0400 Subject: [PATCH] docs(config): clarify session_lifetime semantics and related expiry interactions Signed-off-by: Josh --- config/config.sample.php | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index bad9aa86d8b65..8159b50f26785 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1,7 +1,7 @@ 60 * 60 * 24 * 15, /** - * The lifetime of a session after inactivity. + * Lifetime of sessions created without selecting "Remember me", after + * inactivity, in seconds. * - * The maximum possible time is limited by the ``session.gc_maxlifetime`` php.ini setting - * which would overwrite this option if it is less than the value in the ``config.php`` + * If "Remember me" is used, set ``remember_login_cookie_lifetime`` higher + * than this value to avoid earlier-than-expected remembered-login expiry. * - * Defaults to ``60*60*24`` seconds (24 hours) + * Effective behavior also depends on related settings: + * - ``session_keepalive`` can extend active Web UI sessions via heartbeat requests. + * - ``session_relaxed_expiry`` may allow sessions to persist longer than this value. + * - ``auto_logout`` can enforce logout behavior in the Web UI. + * + * The effective maximum retention also depends on PHP settings and external + * session-backend cleanup policies, including (but not limited to) PHP's + * ``session.gc_maxlifetime`` and environment-specific cleanup behavior (e.g., distro + * cron/tmpfiles policies and handler-specific GC behavior). These may override this + * value. + * + * Defaults to ``60*60*24`` seconds (24 hours). */ 'session_lifetime' => 60 * 60 * 24,