I’m used to working on busy public servers. For my latest project, I have a server all to myself (what fun!). Could not understand why the sessions weren’t timing out.
The key php.ini settings that resolved the issue were the garbage collection numbers. After all, PHP doesn’t check the session files for timeouts on every request.
In addition, if you don’t assign a value to a session variable on every request, the timestamp on the file isn’t updated - so the session will timeout regardless of activity.
To use the cookie to limit the session length, regardless of activity, use session_set_cookie_params to set the lifetime of the cookie.