search

bcosca / fatfree

A powerful yet easy-to-use PHP micro-framework designed to help you build dynamic and robust Web applications - fast!
2.66k stars 446 forks source link

SESSION COOKIE DOES NOT UPDATE EXPIRATION TIME #1239

Open Ziggizag opened 2 years ago

Ziggizag commented 2 years ago

Hi,

In base.php function set($key,$val,$ttl=0) you set JAR with session_set_cookie_params($jar).

The side effect is session cookie expiration time, if initially set, is never updated with page reload and session eventually dies.

Please, consider plain setcookie(session_name(),session_id(), $jar) instead of session_set_cookie_params($jar).

Regards,

mihailovs2000 commented 2 years ago

No! https://fatfreeframework.com/3.7/quick-reference#JAR You must use JAR.lifetime = 86400 if you want the session to last 1 day.

Ziggizag commented 2 years ago

@mihailovs2000 Thank you for your feedback, but I spent entire afternoon trying to get this done (I am a FFF newbie) and finally decided to make my index.php like this:

require_once("vendor/autoload.php");

$f3 = Base::instance();

$config = $f3->config(DIR . '/config/config.ini'); $routes = $f3->config(DIR . '/config/routes.ini');

$db = new DB\SQL( $f3->get('devdb'), $f3->get('devdbusername'), $f3->get('devdbpassword'), [\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION] );

$f3->db = $db;

if (php_sapi_name() === "cli") {
    $f3->set('CACHE', FALSE);
} else {
    $f3->set('ONERROR',function($f3) {
        $f3->set('view','error.htm');
        echo \Template::instance()->render('layout.htm');
    });
}

if (php_sapi_name() !== "cli") {
    ini_set('session.gc_probability', 100);
    ini_set('session.gc_divisor', 100);
    ini_set('session.gc_maxlifetime', $f3->SESSION_TIMEOUT);
    if ($f3->get('CACHE')) {
        // Only if chacheing enabled as Session is Cache based!
        $f3->session=new DB\SQL\Session($db,'sessions',TRUE);
        if (!$f3->get('SESSION.token')) {
            $token=bin2hex(random_bytes(12));
            $f3->set('SESSION.token', $token);
        }
        setcookie(session_name(), session_id(), [
            'expires' => time()+$f3->SESSION_TIMEOUT,
            'path' => '/',
            'domain' => '',
            'secure' => TRUE,
            'httponly' => TRUE,
            'samesite' => 'strict'
        ]);
    } else {
        $f3->error(406, 'Cache is disabled!');
    }
}

$f3->run();

Only this solution has been proven working as expected.

The session token is being changed on reload due to precise customer request (I recommended it being regenerated once per session, but the customer objected).

Perhaps I was doing something wrong but I have already moved to another project, so I am not on the position to alter the code.

Thanks anyway!