Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

session timeout values #5961

Closed
samjaninf opened this issue Sep 21, 2017 · 4 comments
Closed

session timeout values #5961

samjaninf opened this issue Sep 21, 2017 · 4 comments
Labels
C: Framework C: PHP backend
Milestone
1.3.2

Comments

@samjaninf
Copy link

I was having an issue earlier this week with a new installation of roundcube 1.3.0 where I would log in and within 3 minutes the session would be invalidated and it would kick me back to the login page.

We finally solved this issue today by going into the php.ini file and changing the value of session.cookie_lifetime to 0 from 180.

Maybe I missed something or am just understanding it incorrectly but the value of session_lifetime inside the roundcube config.inc.php should determine how long the session lasts for.

The php.ini session.cookie_lifetime is counted in seconds. And the roundcube session_lifetime is counted in minutes according to the docs but roundcube seems to just ignore the setting in it's config file.

OS: CentOS 7
Roundcube version: 1.3.0
PHP version: 5.4.16
session_storage driver: memcache
session_lifetime: 30
@alecpl
Copy link
Member

alecpl commented Sep 22, 2017

session_lifetime defines how long the session will be valid after user closed the browser without logout. There's no mechanism in Roundcube that kicks off the user after a timeout, session is kept valid as long as the user is logged in (and e.g. the Internet connection is not lost) plus session_lifetime time.

Roundcube sets session.gc_maxlifetime value as session_lifetime * 60 * 2.

We do not set session.cookie_lifetime. Default is 0, so I'm curious if you set the value or it was like that in your system? I think session.cookie_lifetime must be 0 or in sync with session_lifetime to work properly. When you had cookie_lifetime=180 and session_lifetime=600 Roundcube didn't refresh the cookie in time.

I'm not sure we should force session.cookie_lifetime to be 0 or session_lifetime.

@alecpl alecpl added this to the 1.4-beta milestone Sep 22, 2017
@samjaninf
Copy link
Author

That absolutely does make sense. I did not set it. That was the default from where I installed it. The only change I made inside the php.ini file

FYI I used the kolab-webclient meta package. To install most of those packages.

@alecpl alecpl modified the milestones: 1.4-beta, 1.3.2 Oct 9, 2017
alecpl added a commit that referenced this issue Oct 9, 2017
@alecpl
Fix issue caused by non-default session.cookie_lifetime setting (#5961)
403d845
alecpl added a commit that referenced this issue Oct 9, 2017
@alecpl
Fix issue caused by non-default session.cookie_lifetime setting (#5961)
1bb9797
@alecpl
Copy link
Member

alecpl commented Oct 9, 2017

Fixed by forcing session.cookie_lifetime=0.

@alecpl alecpl closed this as completed Oct 9, 2017
@TCB13
Copy link

TCB13 commented Dec 28, 2024
edited
Loading

Fixed by forcing session.cookie_lifetime=0.

I see a problem with this, PHP docs says:
https://php.net/session.cookie-lifetime

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0.

Meaning if its forced to 0 it will be impossible to have sessions last after the browser is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Framework C: PHP backend
Projects
None yet
Milestone
1.3.2
Development

No branches or pull requests
3 participants
@alecpl @TCB13 @samjaninf