Set PHP sesion cookie to be session (session.cookie_lifetime = 0) + set garbage collection time which is calculated since last session_start() [by setting session.gc_maxlifetime=3600 to have session valid for one hour since last activity]. I’m taking about those two settings
session.cookie_lifetime intsession.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means “until the browser is closed.” Defaults to 0.
https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
session.gc_maxlifetime int session.gc_maxlifetime specifies the number of seconds after which data will be seen as ‘garbage’ and potentially cleaned up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor). Defaults to 1440 (24 minutes).
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
Sometimes I see that people set PHP session cookie lifetime however it does not increase security and only annoys people. Like if set expiration to 24h then when you logged on at 10 AM you will be logged out at 10 AM next day, no matter what.