How to configure PHP session timeout settings in shared hosting
Learn how to adjust PHP session timeout values on cPanel and Plesk shared hosting accounts to prevent premature logouts and optimize user experience.
Adjusting the session timeout prevents users from being logged out unexpectedly due to inactivity. These steps target cPanel 118.x and Plesk Obsidian 18.x shared hosting environments where you cannot edit the global php.ini directly.
Prerequisites
- Access to your cPanel or Plesk control panel as a reseller or root user.
- Knowledge of the specific PHP version you are using (e.g., PHP 8.3.x).
- A web browser and a text editor to create configuration files.
Step 1: Locate the current session timeout value
First, determine the default session timeout to understand the baseline configuration. Log in to your cPanel or Plesk interface and navigate to the PHP configuration section. You will typically find a field labeled "Session Timeout" or "Session.gc_maxlifetime". The default value is often 1800 seconds (30 minutes) for cPanel and varies by provider for Plesk. If you are on a VPS with root access, open the terminal and run the following command to check the current setting:
php -i | grep session.gc_maxlifetimeYou will see output similar to this:
session.gc_maxlifetime => 1800This confirms the session will expire after 1800 seconds of inactivity.
Step 2: Configure timeout via cPanel WHM interface
If you have WHM access, you can set a default timeout for all accounts or specific accounts. Log in to WHM and navigate to Home > PHP Configuration. Select the specific PHP version you want to modify, such as PHP 8.3.x. Locate the "Session Timeout" field. Enter the desired number of seconds, for example, 3600 for one hour. Click "Save Changes". The system will apply this setting to the global pool for that PHP version. If you are managing a single shared account without WHM, skip to the next section.
Step 3: Upload a custom php.ini file for a specific account
On shared hosting where you cannot edit global settings, you must create a custom configuration file. Log in to your cPanel account and go to the "Select PHP Version" or "MultiPHP INI Editor" tool. Navigate to the "Custom Configuration" tab. In the text editor, add the following line to set the timeout to 3600 seconds:
session.gc_maxlifetime = 3600Save the file. The system will reload the configuration for your specific domain. Ensure you do not overwrite the entire php.ini file unless you are an administrator, as this can break other settings.
Step 4: Configure timeout via Plesk Obsidian interface
For Plesk Obsidian 18.x, the process involves editing the site-specific PHP settings. Log in to the Plesk control panel. Go to "Websites & Domains" in the left sidebar. Click on the domain name you want to configure. Select "PHP Settings" from the submenu. Scroll down to the "PHP Configuration" section. You will see a field for "Session timeout". Enter the value in seconds, such as 7200 for two hours. Click "Apply" or "Save". Plesk will restart the PHP-FPM service for that domain automatically.
Step 5: Verify the new timeout value via a test script
Create a simple PHP file to confirm the settings have taken effect. Create a file named `test_session.php` in your public_html directory with the following content:
<?php
phpinfo();
?>Access `http://yourdomain.com/test_session.php` in your browser. Search for the `session.gc_maxlifetime` directive in the output. You should see the value you configured, for example, `3600`. If you see the old value, check for typos or conflicting settings in other PHP versions.
Verify the installation
Run this command in your browser to see the active session settings for your current domain:
phpinfo()Look for the `session.gc_maxlifetime` entry. It should display the number of seconds you set in the previous steps. If you set it to 3600, the output will show `3600`. This confirms the server is using your custom configuration.
Troubleshooting
Error: Session timeout value is ignored
If the new value does not appear in the `phpinfo()` output, check if the PHP version selected in the control panel matches the version you edited. Sometimes shared hosts run multiple PHP versions. Ensure you are editing the configuration for the version your application uses (e.g., PHP 8.3).
Error: Permission denied when creating the file
If you cannot upload a custom `php.ini` or `user.ini`, your hosting provider may have disabled custom configurations. Contact support to request an increase in the session timeout limit or ask them to apply the change via the backend.
Error: Value is not an integer
Ensure you enter a whole number without units like "minutes". The directive expects seconds. Entering "30 minutes" will cause a syntax error. Always use numeric values like "1800" or "3600".
Error: Session is still expiring too quickly
The session timeout is not the only factor. Check the `session.cookie_lifetime` setting. If the cookie lifetime is shorter than the session timeout, the session will expire when the cookie expires. Set `session.cookie_lifetime` to match or exceed your session timeout value in the same configuration file.
Warning: Security implications
Increasing the session timeout too much increases the risk of session hijacking. A timeout of 3600 seconds (1 hour) is a common balance between usability and security. For high-security applications, keep the timeout lower or implement additional measures like HTTPS-only sessions.
Final check
After making changes, clear your browser cache and cookies. Open the test script again to ensure the new settings are active for your browser session.