New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect destroyed session use #13578
Detect destroyed session use #13578
Conversation
… day if remember me is not used.
Lets move this maybe into 3.7.0? |
@tsteur moved |
Verified it works. Note: in order to test the |
// the session data won't be deleted until the cookie expires. | ||
@ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']); | ||
// the session data won't be deleted until the cookie expires (if form rememberme is used). | ||
@ini_set('session.gc_maxlifetime', Login::isRememberMeLogin() ? $config->General['login_cookie_expire'] : self::NON_REMEMBERME_GC_SESSION); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about this one @diosmosis I would have expected to always have it set to login cookie expire.
Reading in http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime I'm not sure I understand it. Most of the time, Login::isRememberMeLogin()
isn't true so it would maybe destroy the session too early? Also does this setting affect other sessions or only the current session?
Is this change really needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was trying to make sure that the session data is removed after a reasonable time when session is not remembered, but I'm not sure there is a good way to do this. I'll just remove this code.
if (!$this->shouldHandleRememberMe()) { | ||
return; | ||
if (self::isRememberMeLogin()) { | ||
Session::rememberMe(Config::getInstance()->General['login_cookie_expire']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a little side note... likely not important... rememberMe
calls self::regenerateId();
in Zend_Session
so it might not call the self::regenerateId();
in our session class and not mark the session as destroyed before regenerating... but maybe this is not a big problem?
Added a comment as I'm not quite sure how gc_maxlifetime behaves. Otherwise looks good. |
Actually this PR doesn't even work... not sure why I thought it did. Closing. |
& make sure session is destroyed after a day if remember me is not used.