Detect expired session use #14502

diosmosis · 2019-05-29T22:34:59Z

No description provided.

mattab · 2019-05-31T05:44:51Z

config/global.ini.php

@@ -397,6 +397,9 @@
 ; Sets the session cookie path
 login_cookie_path =

+; the amount of time before a session that was created without the "remember me" option is considered expired


Is this from the time the session was created or rather from the last server side requets this user made?

the time the last server side request the user made, will update the docs

mattab · 2019-05-31T05:45:52Z

Feedback

we could change the session idle timeout to 1 hour or maybe even 30min?

according to https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-expiration

Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective.

diosmosis · 2019-05-31T17:46:28Z

we could change the session idle timeout to 1 hour or maybe even 30min?

Sure, I'll change the default config value.

diosmosis · 2019-06-02T16:18:03Z

Updated. Feel free to change the default config value.

mattab · 2019-06-05T11:18:31Z

@diosmosis Looking at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-expiration
I'm also wondering, do we already have Absolute Timeout implemented server side?

diosmosis · 2019-06-05T16:12:16Z

I don't think we want both, otherwise some will complain that the session shouldn't just end while they're using it.

tsteur · 2019-06-07T09:16:56Z

Maybe the absolute session timeout could be set to something like 3 months?

tsteur · 2019-06-07T09:17:11Z

Would then happen max 4 times a year. Any shorter absolute value be annoying indeed.

diosmosis · 2019-06-07T09:43:32Z

This PR implements an idle timeout, not an absolute one (the saved start time of the session updated on each request).

mattab · 2019-06-10T09:47:20Z

@tsteur could you please review this and merge?

core/Session/SessionAuth.php

core/Session/SessionFingerprint.php

core/Date.php

core/Session/SessionAuth.php

tsteur · 2019-06-11T08:17:12Z

Not sure what happens, I set login_session_not_remembered_idle_timeout = 30 and I log in, then it appears like I was logged in successfully but am still anonymous and then get also these warnings:

core/Session/SessionAuth.php(209): Warning - A non-numeric value encountered - Matomo 3.10.0-b3 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)

There is no login failure, I get forwarded to dashboard but am not logged in.

…rint.

tsteur · 2019-06-14T10:40:41Z

Works for me 👍 should be good to merge.

diosmosis added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels May 29, 2019

diosmosis added this to the 3.10.0 milestone May 29, 2019

diosmosis added 2 commits May 30, 2019 16:56

Detect expired sessions.

3f7aaef

Add INI config option and add tests.

4649f3d

mattab reviewed May 31, 2019

View reviewed changes

diosmosis added 2 commits June 2, 2019 09:16

Update config docs.

0728fb0

Merge branch '3.x-dev' into session-expire

cc44f38

mattab requested a review from tsteur June 10, 2019 09:47