On accessing session data on the server side, its modified_time gets set, therefore extending its expiration time into the future.
However, this does not happen for PHPSESSID cookie. While session data expiration on the server side is extended, the cookie expiration is not. If the cookie expires, the user will lose his session - he will have no session ID to give when sending a request.
Is there any way to tell Symfony\Component\HttpFoundation\Session\Session to extend the cookie expiration date?
Can this be done for the same session ID? Or will we have to regenerate it (seems inefficient to do for many users X many requests)?
Should I set it myself manually (disregarding the OOP principles)
I've found $request->getSession()->getMetadataBag()
and tried setting stampNew(), but this does not seem to interact with the PHPSESSID cookie.
You can change in the config.yml files under the session key, as example:
# session configuration
session:
cookie_lifetime: 3600
From the doc:
cookie_lifetime
type: integer default: null
This determines the lifetime of the session - in seconds. The default
value - null - means that the session.cookie_lifetime value from
php.ini will be used. Setting this value to 0 means the cookie is
valid for the length of the browser session.
More info in the doc here
Related
Well, I am going straight, How can i store session into database? I have tried and stored session into database but It will delete automatically from db because of codeigniter database garbage collector.
I don't know how to keep all the sessions? I don't want to delete any session from database. I don't want to delete session until database user delete the row.
Moreover, I want to develop user can log out from all the sessions.
Please share your thoughts. thanks.
Set the session expiration value of sess_expiration in the config to 0 if you don't want it to timeout unless the browser is closed, or set it to an crazy amount like 5 years.
sess_expiration: The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0
The config file is found at: application/config/config.php
You can also disable automatic session regeneration by setting sess_time_to_update to 0.
Reference: https://codeigniter.com/user_guide/libraries/sessions.html#session-preferences
Set the $config['sess_expiration'] = 0 for lifetime.
I understand the normal application of a persistent cookie vs a session cookie. But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa. Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?
session_set_cookie_params() function allows you to set a specific expiration time for a session. You can set the time in a persistent cookie in the setcookie() function.
I already pulled up the threads
Cookie VS Session and Session cookies and persistent cookies, and didn't find my answer.
But if you can specify the expiration time of a session cookie to
behave like a persistent cookie and vice-versa.
Not true, the difference between a session cookie and a persistent cookie is whether or not the an expires value is given. A session cookie can't have an expiration time by definition.
Is there any benefit to using session cookies besides them being
obfuscated from the user and the session is stored on the server?
A session ID for something like PHP sessions can be stored in either a session cookie or a persistent cookie, and session cookies can contain other information besides session IDs. They both use the word "session" but are separate things.
A session cookie is the right choice if you want the cookie to disappear when the user closes their browser. A good example is online banking - the cookie that authenticates you should be destroyed when you close the browser so someone can't sneak onto your computer, reopen the browser, and start making transfers. Ever had your facebook status or something like that changed as a prank?
As the title suggests, my setup somehow allows me to select any session ID I want, even though strict mode is enabled.
Configuration of PHP is (when running php_info();)
session.use_cookies On
session.use_only_cookies On
session.use_strict_mode On
session.use_trans_sid 0
session.cookie_httponly On
session.cookie_secure On
I can verify that the session ID can be "user customized" by setting a PHPSESSID cookie for the domain to whatever I want, then logging in by passing this cookie with the login request.
This means anyone could potentially be tricked into setting their cookie ID to "123", and my server would validate their login and let them use this ID for subsequent requests - assuming of course they had the credentials to make "123" a valid session - compromising their identity.
Why is my server not regenerating the ID when it does not exist? I was under the impression this was the whole idea of strict_mode. Am I wrong?
I can confirm that the ID is deleted from the server (memcached in this case) by telnet'ing to it and finding the key - it will delete when logging out and come back when logging in - even if I set it to just 123 or any similar insecure value. If I don't set a cookie when logging in, it will correctly generate a new one.
Edit: I fixed it by calling session_regenerate_id(true); after a successful login, forcing the cookie to be replaced - but this does not answer the original question.
I'm a bit confused with this,
Say the session has been started with default php ini settings where gc_maxlifetime is 1440 seconds. And i supposed to use remember me functionality with this, to which i set cookie lifetime as 14 days. As long as the session max life time set to 24 minutes which is obviously lesser than cookie life time (14 days), after 10 days (for example) the session likely (of course depends on gc probability) to be expired and would have no reference to the session id the remember me cookie has.
So how would setting a remember me cookie lifetime longer than the session lifetime remember/resume the session? or do i need to change the session max lifetime according to the cookie lifetime?
Generally a "remember me" cookie is a persistent cookie, not a session cookie. It contains some encrypted information which allows an automatic login action to occur. i.e. When there is no active session already, but the "remember me" cookie is present, then a new session will be started.
The session GC function will delete session data (which is by default kept in plain text files), while the cookie settings will delete the cookie that keeps the session id.
In order for a session to be active, its data file, and a cookie with its ID must exist (AFAIK).
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.