selfoss support forum - Login timeout setting https://forum.selfoss.aditu.de/ selfoss support forum en Login timeout setting (reply)

Is there a different way to keep the session alive, e.g. by cron job?

Not really, at least not a simple one. You could copy the session cookie and then replicate a browser request using e.g. curl but that likely will not work on shared hosting so you would need an extra script. And then update the session cookie each time it expired.

I think your best option would indeed be setting session.save_path as you mention (sorry, I missed your last post). Something like the following patch should work after creating the data/cache/sessions directory (though I have not tested it thoroughly):

--- a/src/common.php
+++ b/src/common.php
@@ -11,6 +11,15 @@ use Monolog\Logger;
 
 require __DIR__ . '/constants.php';
 
+ini_set('session.gc_maxlifetime', 30 * 24 * 60 * 60); // 30 days
+// Use a custom session directory so that sessions are not garbage collected by other services.
+ini_set('session.save_path', __DIR__ . '/../data/cache/sessions');
+// Restore the default probability to make GC run in 1/100 requests.
+// This is in case a web host disables GC in favour of a cron script,
+// which would not know about our custom save path.
+ini_set('session.gc_probability', 1);
+ini_set('session.gc_divisor', 100);
+
 /**
  * @param string $message
  *

Of the few downsides, I can see:

  • The session directory being under www root is not a best practice from security stand point since it will be potentially easier to access. If a malicious user gets access to the directory listing, they will see files like sess_15480c88b5d9c9bd5192f939ed05b885, whose names contain a session cookie that can be used to steal active user session. The .htaccess shipped with selfoss will prevent accessing the directory but if you use other web server than Apache, you need to make sure it is properly configured. Nor does selfoss contain any code that allow listing the directory contents. But if you are running other scripts in the same context, you need to trust them that they do not allow bypassing this.
  • The directory will contain an empty file for every time an agent connects to selfoss (even a bot). I would not care about this.
  • Garbage collection might slow down 1% of requests. Probably not a concern either.
  • You will need to apply this change every time you update selfoss.
]]> https://forum.selfoss.aditu.de/index.php?id=1484 https://forum.selfoss.aditu.de/index.php?id=1484 Tue, 22 Nov 2022 16:11:48 +0000 jtojnar Login timeout setting (reply) Well, I started seeing regular session termination on the server side recently since I have other php scripts running on the server. Sadly, I have no direct access to php.ini due to managed hosting, which only allows me to change certain variables in php.ini.

Is there a different way to keep the session alive, e.g. by cron job?

]]> https://forum.selfoss.aditu.de/index.php?id=1483 https://forum.selfoss.aditu.de/index.php?id=1483 Mon, 21 Nov 2022 20:21:29 +0000 micha83x Login timeout setting (reply) Ok, thanks for the heads up.
I had a read on the php documentation and now I am quite overwhelmed and scared to break things on my server ;D
For example, I am tempted to enable session.save_path. However, I have no idea about the side effects of disabled garbage collection and having to deal with it via a cron job.
Since my session was never ended after only 24 minutes in the past, I will first try how it works without without modifications to php.ini.
In case, I run into trouble, I will report back.

]]> https://forum.selfoss.aditu.de/index.php?id=1481 https://forum.selfoss.aditu.de/index.php?id=1481 Tue, 04 Oct 2022 19:23:23 +0000 micha83x Login timeout setting (reply) Right, the default cookie expiration is one month, but it is not the only factor you need to consider. There is also the session.gc_maxlifetime option in php.ini that defaults to 24 minutes. And, what is worse, even if we changed it in selfoss, the session might still end up being cleaned by PHP when another app runs on the same server and has shorter lifetime. So I would recommend setting it in php.ini yourself.

]]> https://forum.selfoss.aditu.de/index.php?id=1480 https://forum.selfoss.aditu.de/index.php?id=1480 Tue, 04 Oct 2022 14:40:33 +0000 jtojnar Login timeout setting (reply) This thread is old, but I did not find the question answered elsewhere. Thus, here is my workaround:

  • In file helpers/Authentication.php look for $cookie_expire =.
  • Change the value following the equal sign to a larger value than a month,
  • This leads to a later expiration date for the login cookie in your browser.

I am not proficient in php in any way, but looking at how the config.ini is accessed, you could also add the variable yourself:

  • In file helpers/Authentication.php set $cookie_expire = \F3::get('cookie_expire_seconds');.
  • In file config.ini add a line cookie_expire_seconds = 31536000.
  • Do not delete the new line at end of the config.ini!
  • This results in a expiration time of one year.
]]> https://forum.selfoss.aditu.de/index.php?id=1479 https://forum.selfoss.aditu.de/index.php?id=1479 Mon, 03 Oct 2022 18:37:39 +0000 micha83x Login timeout setting (reply) I also miss some setting there. Currently, I have to login almost each time when I want to see news. Would be great to extend it to at least one day.

]]> https://forum.selfoss.aditu.de/index.php?id=405 https://forum.selfoss.aditu.de/index.php?id=405 Fri, 03 May 2013 08:50:11 +0000 mkyral Login timeout setting What is the default time that a user will remain logged in?

I have had to disable the public side so I know whether I am still logged in or I get errors opening an item and it being attempted to be marked read.

Can this be changed?

]]> https://forum.selfoss.aditu.de/index.php?id=395 https://forum.selfoss.aditu.de/index.php?id=395 Sun, 28 Apr 2013 22:27:57 +0000 geniusmusing