Why does Debian's PHP sessionclean script touch all open files first?
Session files that are older than the maximum lifetime, at the time the find
command evaluates them, will be deleted.
Files are updated at the latest when the PHP script finishes execution. However, perhaps it is not really fair to kill a session for being idle while it is executing. Thus, the touch
updates the modify time on session files which have a php process currently executing.
Yes, there is a race condition of a php process starting after the touch
, resuming a too old session, and getting deleted because it did not finish before the find
did garbage collection. The session already existed for its full lifetime, probably several minutes. Missing an extension in a fraction of a second window isn't a big deal.
The alternative, PHP's built in implementation, has a 1% or so chance of running garbage collection on execution. For low volume sites, it might not trigger reliably.
Plus, the external script allows locking down the security on the session directory, which is why Debian maintainers did it that way.