Thursday, September 27, 2012

Re: Sessions expiring when they should not

BTW, another problem of setting the cookie in 6 hours is that if the user has a clock that is not synced (i.e. more than 6 hours ahead), the browser will expire the session cookie and the user cannot stay logged in.

Best,
  Chris

On Tue, Sep 4, 2012 at 3:07 PM, Chris Cinelli <chris.cinelli@formativelearning.com> wrote:
It looks like the code is in CakeSession.php

I think I solved the cookie expiration problem with this in the core.php:
    Configure::write('Session', array(
        'defaults' => 'php',
        'cookieTimeout' => 0,   //Lives until the browser is closed.
        'checkAgent'  => false  //To fix a little the Chrome Frame problem
    ));


Pretty much all main website manage the session expiration using a session cookie (that get removed when the browser is closed). Exceptions are website that keep you loggedin like Facebook. They set the cookie expiration to a month after login (but the user actually have to check the box - "keep me logged in").

I think though that setting by default the cookie expiration to 6h (I think it is the PHP session default) and NEVER updated it is a *BUG*. If the user is on the website for 6h, he should not be forced to logging again. This is a major problem if the user is writing some very long text into a page that save the text with Ajax calls.

BTW, the default behavior can actually create more security problems that leave the cookie expire with the session. In fact if the user is on a public computer and close the browser to finish his/her session, the following user that connect before the 6h limit is going to be able to reconnect to the website under the previous user credentials. 

Best, Chris


On Tue, Sep 4, 2012 at 12:19 PM, Chris Cinelli <chris.cinelli@formativelearning.com> wrote:
Anybody that know at least what it is the expected behavior?
Is it normal that the CAKEPHP cookie has 6h expiration after login and never get updated?

Best,
    Chris


On Fri, Aug 31, 2012 at 2:20 PM, Chris Cinelli <chris.cinelli@formativelearning.com> wrote:
We are using CakePHP 2.2.1 on Ubuntu 12.04 but I notice this behavior also on my Mac running on XAMPP and as far as I know we have always had this problem.

I would expect that:
  1. The session expires if after a certain amount of time if there are no more calls to the server.
  2. Activity on the server should update the expiring time.

Instead we noticed that after a certain amount of time, the user get logged out and he has to log back in even if he accessed a page just a a minute before.
I actually put even a "hertbeat" AJAX call that is been called every 20 minutes that was supposed to prevent the session to expire, but sessions keep getting lost.

Is this the intended behavior?

If it not I am not sure if the problem is on the frontend's cookie or the backend;s session. I noticed that the CAKEPHP cookie has 6h expiration time since I log in and it never get renewed.

Best,
   Chris



--
--Everything should be made as simple as possible, but not simpler (Albert Einstein)



--
--Everything should be made as simple as possible, but not simpler (Albert Einstein)



--
--Everything should be made as simple as possible, but not simpler (Albert Einstein)



--
--Everything should be made as simple as possible, but not simpler (Albert Einstein)

--
Like Us on FacekBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
 
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
 
 

No comments: