cakephp: Session.timeout does not override anything

Description

The Session.timeout configuration option does not actually override the Session handler timeout value. Looking here, we can see a config array value being set using 60 * user override:

https://github.com/cakephp/cakephp/blob/5.x/src/Http/Session.php#L222-L224

But a few lines down, the value created above is not used:

https://github.com/cakephp/cakephp/blob/5.x/src/Http/Session.php#L243

Because of this, sessions timeout regardless of what the users have set in their config/app.php for Session timeout.

'Session' => [
        'defaults' => 'php',
        'timeout' => 0
    ],

CakePHP Version

5.0.4

PHP Version

8.2.11

About this issue

Original URL
State: closed
Created 6 months ago
Comments: 15 (8 by maintainers)

Commits related to this issue

Clarify session documentation further Refs cakephp/cakephp#17513 — committed to cakephp/docs by markstory 6 months ago
Improve session configuration doc block Refs cakephp/cakephp#17513 — committed to cakephp/app by markstory 6 months ago
Tweak session doc block Refs cakephp/cakephp#17513 — committed to cakephp/cakephp by markstory 6 months ago
Increase session gc lifetime When sessions have serverside timeouts disabled we should set a longer session.gc_maxlifetime option as using 0 could result in all sessions being reaped when a GC sweep ... — committed to cakephp/cakephp by markstory 6 months ago
Increase session gc lifetime When sessions have serverside timeouts disabled we should set a longer session.gc_maxlifetime option as using 0 could result in all sessions being reaped when a GC sweep ... — committed to celsowm/cakephp by markstory 6 months ago
Increase session gc lifetime When sessions have serverside timeouts disabled we should set a longer session.gc_maxlifetime option as using 0 could result in all sessions being reaped when a GC sweep ... — committed to celsowm/cakephp by markstory 6 months ago
Add FunctionsBuilder::jsonValue() Merge changes from cakephp/cakephp#17171 Squashed commit of the following: commit 352b47ac01e1b35791d9237b8ad107f54ef17edc Merge: 7bbf221e25 f6cbbb4526 Author: cel... — committed to cakephp/cakephp by markstory 5 months ago
Tweak session doc block Refs cakephp/cakephp#17513 — committed to cakephp/http by markstory 6 months ago

Most upvoted comments

i applied it. also commented on the PR regarding a better default.

utdrmac on Jan 8, 2024

Oh, I found the real issue here.

-- config/app.php
    'Session' => [
       	'defaults' => 'php',
        'timeout' => 0
    ],

-- vendor/cakephp/cakephp/src/Http/Session.php
        ...
        $this->_lifetime = (int)ini_get('session.gc_maxlifetime');
        $this->_isCLI = (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg');
        session_register_shutdown();
        var_dump($config);
        die(sprintf("lifetime: %d | config timeout: %d | config ini: %d", $this->_lifetime, $config['timeout'], $config['ini']['session.gc_maxlifetime']));

The above debug die results in this:

array(6) { ["ini"]=> array(5) { ["session.use_trans_sid"]=> int(0) ["session.cookie_samesite"]=> string(3) "Lax" ["session.use_strict_mode"]=> int(1) ["session.cookie_httponly"]=> int(1) ["session.cookie_path"]=> string(1) "/" } ["defaults"]=> string(3) "php" ["timeout"]=> int(0) ["cookiePath"]=> string(1) "/" ["cookie"]=> NULL ["handler"]=> array(0) { } }

[Warning (2) ](javascript:void(0);): Undefined array key "session.gc_maxlifetime" [in /var/www/mboehm-dev/dipper/vendor/cakephp/cakephp/src/Http/Session.php, line 248]
lifetime: 1440 | config timeout: 0 | config ini: 0

We can see that session.gc_maxlifetime does not exist in config[‘ini’]. But why not? It’s because of int(0) evaluating to false:

https://github.com/cakephp/cakephp/blob/e8601c848cfc92af5aebc3d13ed7434cb333e4e8/src/Http/Session.php#L222

I’m trying to set an int(0) timeout value, but if ($config['timeout']) evals to false, thus the line of code which should create config['ini']['session.gc_maxlifetime'] does not run and thus options() does not modify the ini session.gc_maxlifetime and thus $_lifetime is never modified.

good grief. we both missed that. 😃

I modified the check. The default value of timeout is null. If any other value is provided, the block executes and the ini override is set.

        if (!is_null($config['timeout'])) {
            $config['ini']['session.gc_maxlifetime'] = 60 * $config['timeout'];
        }

New result from above die(sprintf()):

array(6) { ["ini"]=> array(6) { ["session.use_trans_sid"]=> int(0) ["session.cookie_samesite"]=> string(3) "Lax" ["session.use_strict_mode"]=> int(1) ["session.cookie_httponly"]=> int(1) ["session.gc_maxlifetime"]=> int(0) ["session.cookie_path"]=> string(1) "/" } ["defaults"]=> string(3) "php" ["timeout"]=> int(0) ["cookiePath"]=> string(1) "/" ["cookie"]=> NULL ["handler"]=> array(0) { } }
 lifetime: 0 | config timeout: 0 | config ini: 0

And that works!

utdrmac on Jan 3, 2024