Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SESSION COOKIE DOES NOT UPDATE EXPIRATION TIME #1239

Open
Ziggizag opened this issue Oct 4, 2021 · 2 comments
Open

SESSION COOKIE DOES NOT UPDATE EXPIRATION TIME #1239

Ziggizag opened this issue Oct 4, 2021 · 2 comments

Comments

@Ziggizag
Copy link

Ziggizag commented Oct 4, 2021

Hi,

In base.php function set($key,$val,$ttl=0) you set JAR with session_set_cookie_params($jar).

The side effect is session cookie expiration time, if initially set, is never updated with page reload and session eventually dies.

Please, consider plain setcookie(session_name(),session_id(), $jar) instead of session_set_cookie_params($jar).

Regards,
@mihailovs2000
Copy link

No!
https://fatfreeframework.com/3.7/quick-reference#JAR
You must use JAR.lifetime = 86400 if you want the session to last 1 day.

@Ziggizag
Copy link
Author

@mihailovs2000 Thank you for your feedback, but I spent entire afternoon trying to get this done (I am a FFF newbie) and finally decided to make my index.php like this:

require_once("vendor/autoload.php");

$f3 = Base::instance();

$config = $f3->config(DIR . '/config/config.ini');
$routes = $f3->config(DIR . '/config/routes.ini');

$db = new DB\SQL(
$f3->get('devdb'),
$f3->get('devdbusername'),
$f3->get('devdbpassword'),
[\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION]
);

$f3->db = $db;

if (php_sapi_name() === "cli") {
	$f3->set('CACHE', FALSE);
} else {
	$f3->set('ONERROR',function($f3) {
		$f3->set('view','error.htm');
		echo \Template::instance()->render('layout.htm');
	});
}

if (php_sapi_name() !== "cli") {
	ini_set('session.gc_probability', 100);
	ini_set('session.gc_divisor', 100);
	ini_set('session.gc_maxlifetime', $f3->SESSION_TIMEOUT);
	if ($f3->get('CACHE')) {
		// Only if chacheing enabled as Session is Cache based!
		$f3->session=new DB\SQL\Session($db,'sessions',TRUE);
		if (!$f3->get('SESSION.token')) {
			$token=bin2hex(random_bytes(12));
			$f3->set('SESSION.token', $token);
		}
		setcookie(session_name(), session_id(), [
			'expires' => time()+$f3->SESSION_TIMEOUT,
			'path' => '/',
			'domain' => '',
			'secure' => TRUE,
			'httponly' => TRUE,
			'samesite' => 'strict'
		]);
	} else {
		$f3->error(406, 'Cache is disabled!');
	}
}

$f3->run();

Only this solution has been proven working as expected.

The session token is being changed on reload due to precise customer request (I recommended it being regenerated once per session, but the customer objected).

Perhaps I was doing something wrong but I have already moved to another project, so I am not on the position to alter the code.

Thanks anyway!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ziggizag @mihailovs2000