Login timeout setting
Is there a different way to keep the session alive, e.g. by cron job?
Not really, at least not a simple one. You could copy the session cookie and then replicate a browser request using e.g. curl but that likely will not work on shared hosting so you would need an extra script. And then update the session cookie each time it expired.
I think your best option would indeed be setting session.save_path
as you mention (sorry, I missed your last post). Something like the following patch should work after creating the data/cache/sessions
directory (though I have not tested it thoroughly):
--- a/src/common.php
+++ b/src/common.php
@@ -11,6 +11,15 @@ use Monolog\Logger;
require __DIR__ . '/constants.php';
+ini_set('session.gc_maxlifetime', 30 * 24 * 60 * 60); // 30 days
+// Use a custom session directory so that sessions are not garbage collected by other services.
+ini_set('session.save_path', __DIR__ . '/../data/cache/sessions');
+// Restore the default probability to make GC run in 1/100 requests.
+// This is in case a web host disables GC in favour of a cron script,
+// which would not know about our custom save path.
+ini_set('session.gc_probability', 1);
+ini_set('session.gc_divisor', 100);
+
/**
* @param string $message
*
Of the few downsides, I can see:
- The session directory being under www root is not a best practice from security stand point since it will be potentially easier to access. If a malicious user gets access to the directory listing, they will see files like
sess_15480c88b5d9c9bd5192f939ed05b885
, whose names contain a session cookie that can be used to steal active user session. The.htaccess
shipped with selfoss will prevent accessing the directory but if you use other web server than Apache, you need to make sure it is properly configured. Nor does selfoss contain any code that allow listing the directory contents. But if you are running other scripts in the same context, you need to trust them that they do not allow bypassing this.
- The directory will contain an empty file for every time an agent connects to selfoss (even a bot). I would not care about this.
- Garbage collection might slow down 1% of requests. Probably not a concern either.
- You will need to apply this change every time you update selfoss.
Complete thread:
- Login timeout setting -
geniusmusing,
2013-04-29, 00:27
- Login timeout setting -
mkyral,
2013-05-03, 10:50
- Login timeout setting -
micha83x,
2022-10-03, 20:37
- Login timeout setting -
jtojnar,
2022-10-04, 16:40
- Login timeout setting -
micha83x,
2022-10-04, 21:23
- Login timeout setting -
micha83x,
2022-11-21, 21:21
- Login timeout setting - jtojnar, 2022-11-22, 17:11
- Login timeout setting -
micha83x,
2022-11-21, 21:21
- Login timeout setting -
micha83x,
2022-10-04, 21:23
- Login timeout setting -
jtojnar,
2022-10-04, 16:40
- Login timeout setting -
micha83x,
2022-10-03, 20:37
- Login timeout setting -
mkyral,
2013-05-03, 10:50