Closed elfeck closed 6 years ago
Sessions are currently always validated against the database, as it's really easy to configure a client to just keep them around longer. So to answer your question: The TTL you set on the client doesn't really matter at all.
Thank you for the quick reply! As a follow-up (if you have time): Could you quickly explain the purpose of
sessionRegenerateId
?
It should be called after successful auth and it mainly helps prevent session fixation attacks.
Okay, thanks again.
Hello,
I use the default session storage but with a custom configuration. In my App, I store sessions in my database, consisting (UserId, validUntil) fields (similar to funblog).
As I understand the session TTL is determined by the both the internal TTL of the session storage and the validUntil in my DB. I suppose, the actual TTL is the minimum of those to values.
Question: Is there a security issue in setting the interal session TTL to something very high like 1 year and controlling the validity of sessions only via the DB entry?
That is, upon querying the DB and finding that the session is no longer valid, I require a new login. During login I replace the DB entry with a new one and call
sessionRegenerateId
andwriteSession $ Just newSid
.I ask this, because I want different session TTLs for different user-access-levels, the lowest of which should have long session TTLs.
Thank you!