mahara-contributors team mailing list archive

Thread
Date

[Bug 1588613] Re: Mahara not respecting session lifetime setting from admin config page

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1588613@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Jun 2016 02:31:15 -0000
Reply-to: Bug 1588613 <1588613@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Okay, on further inspection into the PHP source code, it's apparent this
bug is even less of a problem (for non-memcache users) than I thought.

In the default "files" session handler in PHP, the garbage collector
actually doesn't do *anything* if your session directory depth is more
than 0. It just short-circuits out (see https://github.com/php/php-
src/blob/PHP-5.5.9/ext/session/mod_files.c#L445 ), and relies on an
external cron job to clean out old session files. The code for this is
virtually unchanged from PHP 5.3 to PHP 7.

The session directory depth referred to here, is the optional first part
of the "session.save_path" ini setting, which Mahara sets to 3. So
Mahara cleans out its old session files using a cron script,
auth_remove_old_session_files() in auth/lib.php, which is set to run
once a day. Weirdly, although that function is operating in lieue of the
core PHP session cleaning function, it is hard-coded to add 2 days to
the session lifetime before it clears out old files!

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1588613

Title:
  Mahara not respecting session lifetime setting from admin config page

Status in Mahara:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed
Status in Mahara 16.04 series:
  Confirmed
Status in Mahara 16.10 series:
  Confirmed

Bug description:
  It seems that after the last round of session fixing bugs, Mahara no
  longer respects the session lifetime setting that the admin can set on
  the site configuration page.

  This setting is stored in the database config table as
  "session_timeout". It's then retrieved from the database during
  session setup, and loaded into the "session.gc_maxlifetime" ini value.

  The problem is, we are now initiating the session *before* we launch
  the database connection. So when we are setting
  session.gc_maxlifetime, session_timeout isn't available, and instead
  we use the default value of 1440 seconds = 24 minutes.

  The quick workaround is to add your session_timeout setting to your
  config.php:

  $cfg->session_timeout = 14400; // session timeout of 4 hours

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1588613/+subscriptions

References

[Bug 1588613] [NEW] Mahara not respecting session lifetime setting from admin config page
From: Aaron Wells, 2016-06-03