MDL-56129 core: Set a timeout on the session cookie

This is primarily because iOS has changed something under the hood which means that only session cookies which have an expiry are passed around the OS. In order to make media playable outside of the browser (e.g. a video), we must set a session cookie timeout. Since the session timeout is configurable, this patch sets the cookie timeout to the session timeout plus a period of one week. This ensures that videos continue to work, and that the expired session message is shown on the login page, but without requiring excessively long session times.
moodle · Oct 24, 2016 · 638b683 · 638b683
1 parent 3d13576
commit 638b683
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/classes/session/manager.php b/lib/classes/session/manager.php
@@ -243,7 +243,12 @@ protected static function prepare_cookies() {
 
         // Set configuration.
         session_name($sessionname);
-        session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly);
+        // The session cookie expiry time cannot be extended so this needs to be set to a reasonable period, longer than
+        // the sessiontimeout.
+        // This ensures that the cookie is unlikely to timeout before the session does.
+        $sessionlifetime = $CFG->sessiontimeout + WEEKSECS;
+        session_set_cookie_params($sessionlifetime, $CFG->sessioncookiepath, $CFG->sessioncookiedomain,
+                $cookiesecure, $CFG->cookiehttponly);
         ini_set('session.use_trans_sid', '0');
         ini_set('session.use_only_cookies', '1');
         ini_set('session.hash_function', '0');        // For now MD5 - we do not have room for sha-1 in sessions table.