Fix session/cookie timeouts

Cookie timeouts should NOT be configurable. At a minimum, it definitely should not use the value of $conf['session']['timeout']. We almost certainly want cookies to not expire until the browser is closed. I can't think of a single reason why this shouldn't be the case - hence, no need to make this configurable. Conversely, we were not correctly setting session.gc_maxlifetime based on the value of $conf['session']['timeout']. By default, this is the only way to cause timeouts - however, it will not reliably expire right at the timelimit since the garbage collector is not run on every access. But this is the tradeoff absent doing (potentially expensive) timeout calculations on every access.
horde · Aug 31, 2011 · 2bbd679 · 2bbd679
1 parent 6a0d079
commit 2bbd679
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/framework/Core/lib/Horde/Session.php b/framework/Core/lib/Horde/Session.php
@@ -114,8 +114,12 @@ public function setup($start = true, $cache_limiter = null,
             }
         }
 
+        if (!empty($conf['session']['timeout'])) {
+            ini_set('session.gc_maxlifetime', $conf['session']['timeout']);
+        }
+
         session_set_cookie_params(
-            $conf['session']['timeout'],
+            0,
             $conf['cookie']['path'],
             $conf['cookie']['domain'],
             $conf['use_ssl'] == 1 ? 1 : 0

diff --git a/framework/Core/package.xml b/framework/Core/package.xml
@@ -28,8 +28,8 @@
   <email>mrubinsk@horde.org</email>
   <active>yes</active>
  </developer>
- <date>2011-08-30</date>
- <time>14:03:41</time>
+ <date>2011-08-31</date>
+ <time>00:13:40</time>
  <version>
   <release>1.4.2</release>
   <api>1.4.0</api>
@@ -40,7 +40,8 @@
  </stability>
  <license uri="http://www.gnu.org/copyleft/lesser.html">LGPL</license>
  <notes>
-* 
+* [mms] Correctly apply value of $conf[&apos;session&apos;][&apos;timeout&apos;] to PHP environment.
+* [mms] Fix cookie timeouts.
  </notes>
  <contents>
   <dir baseinstalldir="/" name="/">
@@ -1560,10 +1561,11 @@
    <stability>
     <release>stable</release>
     <api>stable</api></stability>
-   <date>2011-08-30</date>
+   <date>2011-08-31</date>
    <license uri="http://www.gnu.org/copyleft/lesser.html">LGPL</license>
    <notes>
-* 
+* [mms] Correctly apply value of $conf[&apos;session&apos;][&apos;timeout&apos;] to PHP environment.
+* [mms] Fix cookie timeouts.
    </notes>
   </release>
  </changelog>