From 9c74040c3bc30a82906fee27498119fdf3cb6efe Mon Sep 17 00:00:00 2001 From: Andrew Nicols Date: Sun, 16 Oct 2016 20:13:28 +0800 Subject: [PATCH] MDL-56129 core: Set a timeout on the session cookie This is primarily because iOS has changed something under the hood which means that only session cookies which have an expiry are passed around the OS. In order to make media playable outside of the browser (e.g. a video), we must set a session cookie timeout. Since the session timeout is configurable, this patch sets the cookie timeout to the session timeout plus a period of one week. This ensures that videos continue to work, and that the expired session message is shown on the login page, but without requiring excessively long session times. --- lib/classes/session/manager.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/classes/session/manager.php b/lib/classes/session/manager.php index 4d0386ba02acd..c75e12bbcbaed 100644 --- a/lib/classes/session/manager.php +++ b/lib/classes/session/manager.php @@ -252,7 +252,12 @@ protected static function prepare_cookies() { // Set configuration. session_name($sessionname); - session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly); + // The session cookie expiry time cannot be extended so this needs to be set to a reasonable period, longer than + // the sessiontimeout. + // This ensures that the cookie is unlikely to timeout before the session does. + $sessionlifetime = $CFG->sessiontimeout + WEEKSECS; + session_set_cookie_params($sessionlifetime, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, + $cookiesecure, $CFG->cookiehttponly); ini_set('session.use_trans_sid', '0'); ini_set('session.use_only_cookies', '1'); ini_set('session.hash_function', '0'); // For now MD5 - we do not have room for sha-1 in sessions table.