Why 1440 seconds

Time is unique. You can never lose time and get it back again. Time is our most important asset. Think about how much attention you give to your money. You think about money a lot, you spend time learning how to invest it, and you do what you can to protect it.

And yet we typically think little about our time. The magic number that can change your life is Realize there are only minutes in each day. You will never get them back. Because seconds can slip away fairly easily. But minutes…just think of all the ways you can spend just one minute!

You could write a thank you note, do 30 sit-ups, have a great idea, do a yoga Breath of Fire, or introduce yourself to a stranger. When I asked members of my Facebook page how they could use a single minute their creative responses included:. Highly successful people feel the passage of time. With your code, you would make that risk even lower because it would only work if the attacker shared the user agent and the ip of the predicted session.

But the difference is trivial in this case. Fixation would mean that an attacker can create a session and then force another user into using their session. In this case it would depend: If the attacker knows that you are doing it and they fake the user agent and ip of the client, they could fixate the session.

Or if they share ip and user agent. And finally we have session hijacking, probably the most common method of the three. In this case an attacker would somehow gain access to the session id of a valid logged in user, and then use it to log in to their account. As with the previous method, this would only work for them if they know that you are checking the ip and user agent, and faked the same ones as the user.

The technique you are using is not unique, and some attackers might fake them just in case. Unless your code is open source, almost anything you do that changes the behavior of the php sessions will be secure enough. The only exception to that would be really popular sites that will attract the attention of hackers. I would assume its not standardized because its not really a major concern. I really do not see any hassle in just writing down a define or const static, or just making a header with a bunch of math constants you may need.

Its not really anything anyone composing the standard has on his mind while trying to improve the language. Jekyll does not have a standard way of naming layouts, this has the benefit of flexibility but it can cause confusion sometimes.

Then PHP4 came out in the year with native session support, but now the lifetime was specified in seconds. I'll bet someone just never bothered converting minutes to seconds. It's probable that person was Sascha Schumann. Once that value was coded into the Zend engine, it became the configuration php. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow.

Learn more. Why is the standard session lifetime 24 minutes seconds? Ask Question. Asked 8 years, 9 months ago. Active 3 years, 3 months ago. Viewed 34k times. Doug 3, 1 1 gold badge 23 23 silver badges 30 30 bronze badges. Here's the source code line where default value is set. Anil: This discussion does not answer my question. Vicario I found the change: github. I found Sascha's email address and contacted him about this, I'll let people know if he responds.