Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect destroyed session use #13578

Closed
wants to merge 2 commits into from
Closed

Detect destroyed session use #13578

wants to merge 2 commits into from

Conversation

diosmosis
Copy link
Member

& make sure session is destroyed after a day if remember me is not used.

@diosmosis diosmosis added the Pull Request WIP Indicates the current pull request is still work in progress and not ready yet for a review. label Oct 10, 2018
@diosmosis diosmosis added this to the 3.6.1 milestone Oct 10, 2018
@tsteur
Copy link
Member

tsteur commented Oct 10, 2018

Lets move this maybe into 3.7.0?

@diosmosis diosmosis modified the milestones: 3.6.1, 3.7.0 Oct 10, 2018
@diosmosis
Copy link
Member Author

@tsteur moved

@diosmosis
Copy link
Member Author

Verified it works.

Note: in order to test the session.gc_maxlifetime change, you'll have to add @ini_set('session.gc_divisor', 1); to make sure session GC is triggered. (I also set the lifetime to 60 so I wouldn't have to wait a day.)

@diosmosis diosmosis added Needs Review PRs that need a code review and removed Pull Request WIP Indicates the current pull request is still work in progress and not ready yet for a review. labels Oct 11, 2018
tsteur
tsteur reviewed Dec 6, 2018
View reviewed changes
core/Session.php
// the session data won't be deleted until the cookie expires.
@ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
// the session data won't be deleted until the cookie expires (if form rememberme is used).
@ini_set('session.gc_maxlifetime', Login::isRememberMeLogin() ? $config->General['login_cookie_expire'] : self::NON_REMEMBERME_GC_SESSION);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this one @diosmosis I would have expected to always have it set to login cookie expire.

Reading in http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime I'm not sure I understand it. Most of the time, Login::isRememberMeLogin() isn't true so it would maybe destroy the session too early? Also does this setting affect other sessions or only the current session?

Is this change really needed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to make sure that the session data is removed after a reasonable time when session is not remembered, but I'm not sure there is a good way to do this. I'll just remove this code.

tsteur
tsteur reviewed Dec 6, 2018
View reviewed changes
plugins/Login/Login.php
if (!$this->shouldHandleRememberMe()) {
return;
if (self::isRememberMeLogin()) {
Session::rememberMe(Config::getInstance()->General['login_cookie_expire']);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a little side note... likely not important... rememberMe calls self::regenerateId(); in Zend_Session so it might not call the self::regenerateId(); in our session class and not mark the session as destroyed before regenerating... but maybe this is not a big problem?

@tsteur
Copy link
Member

tsteur commented Dec 6, 2018

Added a comment as I'm not quite sure how gc_maxlifetime behaves. Otherwise looks good.

@diosmosis
Copy link
Member Author

Actually this PR doesn't even work... not sure why I thought it did. Closing.

@diosmosis diosmosis closed this Dec 8, 2018
@diosmosis diosmosis deleted the session-gc branch December 8, 2018 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
3.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@diosmosis @tsteur