I am on a shared virtual Apache Red Hat web server and I wanted to extend the default session time-out value for my site. I don’t manage the server and have to reserve server-wide requests to very important things so as not to “cry wolf” with gentleman who runs the server (which is not something I want to do).

When I set out on the search engines, all of the initial results were forums with self-proclaimed web geniuses chastising users not unlike myself for asking how to change session time out. Making users aware of the risks and downside of a change they are trying to make is great and a value-add, but the attitude about it and then not answering the question asked is just obnoxious and arrogant.

I do recognize the security vs. convenience trade off around extended session time outs, but I am not looking to eliminate session time out and I’m willing to accept a little more risk for a little more convenience.

I tried a couple of different phrasings for my search query and found this forum thread, which was very helpful. It very clearly asks my question and another user very clearly answered it. A bonus item in that thread was an echo statement to view what is set in the session time out cookie.

I just made the change, so we’ll see how it works out.

Feb 5th Update

This strategy does not seem to be working and the session time out seems very inconsistent. I’m not sure if other sites I visit concurrently battle each other on session status/time-out and/or if something is overriding the implementation described above. I’ll have to go back to the drawing board on this one…