FIX: Make session timeout inactive-time only.

By default, the Session.timeout configuration option specifies the total session time, regardless of the amount of activity. This change means that the timeout specifies how long without any further dynamic requests before the session cookie expires. The way it does this is to re-set the session cookie expiry with a subsequent Set-Cookie command each time a request that necessitates a session is called. Strictly speaking, it's a change in session timeout semantics, but I think it's a good one, because total-session-time-regardless-of-activity is a stupid timeout to include, and has more to do with the mechanics of the internet than with application security requirements.
silverstripe · May 31, 2013 · f2c918d · f2c918d
1 parent 87694b7
commit f2c918d
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/control/Session.php b/control/Session.php
@@ -535,6 +535,13 @@ public static function start($sid = null) {
 			// There's nothing we can do about this, because it's an operating system function!
 			if($sid) session_id($sid);
 			@session_start();
+
+		}
+
+		// Modify the timeout behaviour so it's the *inactive* time before the session expires.
+		// By default it's the total session lifetime
+		if($timeout && !headers_sent()) {
+			setcookie(session_name(), session_id(), time()+$timeout, $path, $domain ? $domain : null, $secure, true);
 		}
 	}