Welcome to WebmasterWorld Guest from 188.8.131.52
now the problem with that is let's say user A starts a session at 1h00 and then leave for 45 minutes (and you previously set session.gc_maxlifetime to 30 minutes). Now technically what happens is that user A session data should be erased, but that will only happens if an other user let's call him user B, show up between 1h30 and 1h44. Otherwise, user A will still have access to it's old session data.
I'm about to tackle this issue myself and was wondering about setting the default server time-out page to a custom PHP page which has the following:
session_unset(); //kills all session variables
session_destroy(); // kills the session
This would allow me to build whatever PHP applications on the internal network I wanted and if any of them time-out then the session kill will be run.
On the other hand I'm thinking of a chron job set for 2 hours or so.