e107help.org Q&A
0 like 0 dislike

Hello,

To prevent abuse of specific website services, I make use of:

e107::getSession()->check(false);

...in response to certain user requests. However, there are situations where the user might open a page, leave the page open for a long time, and then perform some action. In such situations, my check will return false, and tell the user that the session has timed out. But I'd like to be able to 'auto-renew' the token if necessary.

I've been trying to follow through the logic in session_handler.php, but I haven't been able to determine how or when the duration of the XSF token is set. Is there a call I can make to find this value - so that I can set a timer in javascript, and then tell the session_handler to renew the token for the page on demand?

Thank you in advance.

e107 version Version 2.1.8 (git)
closed with the note: More research required.
in Core by (69 points) 1 6 10
closed by
I see now that this is determined by the settings in Admin Area -> Preferences -> Security and Protection.

I have "User Tracking method" set to "Cookies", and below that I see the "Session Lifetime" set to 86400 seconds (24 hours).

I have "Cookie/Session name" set to (for the sake of the discussion) "my_cookie".

Curiously, looking at Firefox's "Storage Inspector" tool (Tools -> Web Developer -> Storage Inspector), I see a cookie named "my_cookieSID" (I note in session_handler.php, in the constructor for the 'e_core_session' class that 'SID' is appended to the cookie name, so that's where that comes from), but the "Expires on" value lists datestamp which is only one hour forward in time, rather than the 24 hours specified in Preferences. And, indeed, my session seems to expire after 60 minutes, so I'm not quite sure what is going on there. Looking in "php.ini" I see that "session.gc_maxlifetime" is also set to 24 hours, so that doesn't seem to be a factor.


Edit: I see that in sessiion_handler.php, the $_options array for the e_session class has a default value of one hour. But I've put error_log debug statements at every location (that I can see) in the file where the 'lifetime' field is assigned, and they all show 86400 seconds. Confused at present about how the cookie is being set to expire after 60 minutes.
On technical questions like this, you are more likely to receive a useful response on Github. Please submit your question there, I'll label it accordingly to make sure the answer is added to the documentation as well.
Thanks Moc - I've just come back to this issue having been focusing on other things for a few days, and contrary to my previous message, the gc_maxlifetime time is set to 24 minutes in my php.ini file, not 1 hour - which seems more in line with the session expiry time that I'm observing. Anyway, I'll close this for now and continue my investigations.
Welcome to e107 Q&A, where you can ask questions and receive answers from other members of the e107 community.
852 questions
1,248 answers
2,171 comments
5,726 users