Browse files

FIX: Make session timeout inactive-time only.

By default, the Session.timeout configuration option specifies the total
session time, regardless of the amount of activity.  This change means
that the timeout specifies how long without any further dynamic requests
before the session cookie expires.

The way it does this is to re-set the session cookie expiry with a
subsequent Set-Cookie command each time a request that necessitates
a session is called.

Strictly speaking, it's a change in session timeout semantics, but I think
it's a good one, because total-session-time-regardless-of-activity is a
stupid timeout to include, and has more to do with the mechanics of the
internet than with application security requirements.
  • Loading branch information...
1 parent 87694b7 commit f2c918dc454aab054c8ef9dfaa85bc11eb8177c7 @sminnee sminnee committed May 31, 2013
Showing with 7 additions and 0 deletions.
  1. +7 −0 control/Session.php
@@ -535,6 +535,13 @@ public static function start($sid = null) {
// There's nothing we can do about this, because it's an operating system function!
if($sid) session_id($sid);
+ }
+ // Modify the timeout behaviour so it's the *inactive* time before the session expires.
+ // By default it's the total session lifetime
+ if($timeout && !headers_sent()) {
+ setcookie(session_name(), session_id(), time()+$timeout, $path, $domain ? $domain : null, $secure, true);

0 comments on commit f2c918d

Please sign in to comment.