I am trying to increase the session lifetime in cakephp app. I have a remember me checkbox in login page. When checking the checkbox, I need to extend session time to 1 hour more to current time and any action inside the app after login will need to extend session time to 1 hour more.
I have component file for login and all action will be entered in startup function.
I tried to extend the session.cookie(CakePHP's session cookie) lifetime, but it didn't works.
function startup(&$controller) {
/* First try */
setcookie(Configure::read('Session.cookie'),$_COOKIE[Configure::read('Session.cookie')], time() + 3600, "/"); // Configure::read('Session.cookie') is 'CAKEPHP'.
/* Second try */
ini_set('session.gc_maxlifetime', 3600);
/* Third try */
session_set_cookie_params(time() + 3600);
echo $this->Session->read('status').' session <br/>';
echo $_SESSION['test'];
}
But all of these doesn't keep the session after session.timeout(CakePHP's session timeout) time. The session status and test varaibles are created on login. It will be retrieved until session.timeout is not reached.
I am using cakephp v1.2.
keep this in your core.php file
Configure::write('Session', array(
'defaults' => 'cake',
'timeout' => 14400, // 4 hours
'cookieTimeout' => 14400, // 4 hours
'cookie' => 'Your Cookie Name',
)
);
It is not a good idea to keep very high session timeout. If your requirement is only to keep him logged for more time, then use some auto_login component like www.milesj.me/resources/script/auto-login
Related
Okay so I've created a login system using PHP Sessions which stores user-related data within $_SESSION while logged in. To reach a PHP $_SESSION / session cookie whose expiry gets extended by x seconds every time the client refreshes a page, I created the following callback, which I call upon every page initiation:
<?php
if ( session_status() === PHP_SESSION_NONE ) {
session_start(
[
'cookie_path' => '/',
'cookie_domain' => 'mydomain.com',
'cookie_secure' => true,
'cookie_httponly' => true,
'cookie_samesite' => 'Strict',
'use_strict_mode' => true,
'use_trans_sid' => false,
'use_only_cookies' => true
]
);
} else {
// If session already exists, simply take it up again without overwriting parameters
session_start();
}
// Then determine the lifetime of the cookie (was only able to make the session cookie
// lifetime expendable using this syntax, as explained in the [first example of the php docs](https://www.php.net/manual/de/function.session-set-cookie-params.php)
setcookie(
session_name(),
session_id(),
[
'expires' => time() + x,
'path' => '/',
'domain' => 'mydomain.com',
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]
);
?>
The reason why I specify all the:
httponly
secure
cookie path
cookie domain
samesite
parameters upon the very first call of session_start() AND also in the call of setcookie() is because if I specify one of them in session_start() and not in setcookie() or vice-versa, the browser returns two session cookies with the same session IDs, one having all of the mentioned flags, and the other without:
Now the problem is that, when I logout via the following callback, which I call as specified in the docs:
<?php
// Called via PHP Form Submit
session_start();
setcookie(
session_name(),
'',
time() - 42000,
'/',
'mydomain.com',
true,
true
);
session_destroy();
header( 'Location: mydomain.com' );
?>
I get the same problem as described in the images above; two session cookies in my browser, and again one having all the flags set, the other not, and the one without the flags set having set its expiry to the session's end, and the other one with its expiry set in x seconds; all exactly as in the image.
What am I doing wrong?
UPDATE
Is it may better to actually set all of the session cookie parameters via the php.ini file, and handle the session cookie expiry via a timestamp within $_SESSION, done like in this example?? Just thinking of a way of making the provision of any parameters in session_start() + any calls to setcookie() obsolete..
So my question is basically:
What's actually the best way of using several PHP session cookie flags, combined with a session expiry which is limited to let's say 10 mins, which gets refreshed by 10 mins on every page load?
I'm using Yii 1.1.13 and despite the session timeout is set to 1 day (session.gc_maxlifetime = 86400 in php.ini) Yii logs out the user after ~24 mins. It doesn't even redirect to the login page, only when the user would navigate to another page.
I set these in the login function:
$duration = Yii::app()->getSession()->getTimeout();
Yii::app()->user->login($this->_identity,$duration);
(the Yii::app()->getSession()->getTimeout() call gives back the right time, that is 86400)
I also set the cookie lifetime to this value:
Yii::app()->request->cookies['PHPSESSID']->expire = Yii::app()->getSession()->getTimeout();
but the bug still appears.
Thank you in advance for your helping answers.
I needed to set this in my main.php:
'session' => array(
'timeout' => 86400,
'cookieParams' => array(
'lifetime' => 86400,
),
)
It keeps alive both the session and the cookie even if they are somehow given a lower value.
I am working on a project which is built using CakePHP 2.8 . At the time of login I am setting a FLAG to 1 and on logout it is set to 0, so that account can be logged in on single computer at a time. It is working great till this part.
The problem I am facing is at the SESSION TIMEOUT. I am confused that how to set the flag to 0 in database when session timeout. Is there any way to run an update query on session timeout.
I am using the CORE config file to set the SESSION timeout limit as follow:
Configure::write('Session', array(
'defaults' => 'php',
'timeout' => 30, // The session will timeout after 30 minutes of inactivity
'cookieTimeout' => 1440, // The session cookie will live for at most 24 hours, this does not effect session timeouts
'checkAgent' => false,
'autoRegenerate' => true, // causes the session expiration time to reset on each page load
));
And this is my logout function
public function logout() {
$id = $this->Auth->User('id');
$this->User->updateAll(array('WebLoggedIn'=>0), array('User.id'=>$id));
$this->Auth->logout();
// redirect to the home
return $this->redirect('/');
}
That won't work
The idea in the question isn't going to work. The moving parts related to sessions, with the config in the question are:
A file stored on the server with the serialized session data in it, which updates every time the session is written to
A standard php cron job, which deletes session files that have expired (see /etc/cron.d/php5 or equivalent)
A browser cookie, which links the user's browser session to the file on the server
When a user's session time's out - that either means the session id they presented does not correspond to a file on the server, or they simply didn't present a session cookie. There's no "hey this session expired" event at the moment it expires, and there's no guarantee a user would provide the old session id for you to check if it's valid.
Working proposal
A simple (and this also means naïve and possibly easy to bypass) solution is to not store a boolean, and instead store the time their session will expire in the db. I.e. have code similar to this:
// App Controller
public function beforeFilter()
{
$userId = $this->Auth->user('id');
if ($userId) {
$this->User->updateAll(
array('active_session_expires'=> time() + (30 * 60)),
array('User.id'=>$id)
);
}
}
And in the users controller:
public function login() {
if ($this->request->is('post')) {
if ($this->Auth->login()) {
if ($this->Auth->user('active_session_expires') > time()) {
$this->Flash->error('You are still logged in somewhere else');
return $this->logout();
}
$this->User->updateAll(
array('active_session_expires'=> time() + (30 * 60)),
array('User.id'=> $this->Auth->user('id'))
);
return $this->redirect($this->Auth->redirectUrl());
}
$this->Flash->error(__('Invalid username or password, try again'));
}
}
public function logout()
{
$id = $this->Auth->User('id');
if ($id) {
$this->User->updateAll(
array('active_session_expires'=> time()),
array('User.id'=>$id)
);
$this->Auth->logout();
}
return $this->redirect('/');
}
I.e. every time they do something - update the db to keep track of their activity. If they try to login before their existing session expires - immediately log them out. Expect to need to test/modify this example code, it is provided to give you an idea, not necessarily a complete and working solution.
This is similar to an answer you've already been linked to.
I am using CakePHP 2.x and I want to know how do I set session time out to 8hrs. Please note that session should not expire before 8hrs. I have used
Configure::write('Session.timeout', '480');
but session still expires after few minutes.
Can anyone tell how do I set session time out to 8hrs, so that it will expire exactly after 8hrs?
Reset the session cookie expiration date:
$this->Session->renew().
UPD: you can also do that by:
Configure::write('Session', array(
'timeout' => '480',
'autoRegenerate' => true
)
);
I have set cookie and set it to expire after sufficient seconds. Still as soon as my session expires the cookie also expires. This is my code :-
if(isset($_POST['KeepMesignedIn'])) {
$this->load->helper('cookie');
$cookie = array(
'name' => 'info',
'value' => $user->Username . '||' . $user->Password,
'expire' => time()+3600*24*30
);
set_cookie($cookie);
}
Can anybody identify the problem?
According to the CodeIgniter documentation, set_cookie expects expires to be the delta seconds that are added to the current time:
The expiration is set in seconds, which will be added to the current time. Do not include the time, but rather only the number of seconds from now that you wish the cookie to be valid. If the expiration is set to zero the cookie will only last as long as the browser is open.
check is this part of code executed in your app or not. You need to debug.