search

contao / core-bundle

[READ-ONLY] Contao Core Bundle
GNU Lesser General Public License v3.0
122 stars 57 forks source link

BE Session timeout #1500

Closed asaage closed 6 years ago

asaage commented 6 years ago

I usually increase the Session timeout: System>Settings>Timeout values>Session timeout from default 3600 to 36000

But for some reason that doesn't work for me. After ~1h absence i have to login again. No IP-change is happening in this time and my phpinfo() tells me: session.cookie_lifetime = 0 session.gc_maxlifetime = 1440 The PHPSESSID Cookie is valid until the end of the session

Can anyone else confirm this?

xchs commented 6 years ago

See https://github.com/contao/core-bundle/issues/1428

Anke commented 1 year ago

I don't quite understand. I have a new 5.1 installation and was logged out of the backend after 30 minutes during a phone call. Since I cannot change php-ini settings does that mean I have to hit a cursor key or play with the mouse in the BE while being on the phone, so I can resume my work? While 30 minute sessions may be desireable for BE editors, it seems somewhat counter-productive for admins.

fritzmg commented 1 year ago

does that mean I have to hit a cursor key or play with the mouse in the BE

No, you need to make actual requests.

Since I cannot change php-ini settings

Then you will need to implement a keep-alive request for your back end.

ausi commented 1 year ago

Since I cannot change php-ini settings

Why can’t you change PHP ini settings?

Anke commented 1 year ago

I can only change a few settings, not session.gc_maxlifetime e.g.. So I'll use the autologin of my password manager. After all those years I am still bewildered at times by the differences between user requirements and developer realizations ...

ausi commented 1 year ago

After all those years I am still bewildered at times by the differences between user requirements and developer realizations ...

What would your suggestion be that we as developers should do in this case? session.gc_maxlifetime controls in PHP after how long session data should get deleted. After the session data is deleted, Contao has no way to access it anymore.

I can only change a few settings, not session.gc_maxlifetime e.g..

What is the reasoning behind this? Can you please ask your hosting provider for an explanation?

Anke commented 1 year ago

After all those years I am still bewildered at times by the differences between user requirements and developer realizations ...

What would your suggestion be that we as developers should do in this case? session.gc_maxlifetime controls in PHP after how long session data should get deleted. After the session data is deleted, Contao has no way to access it anymore.

I wouldn't know, that's why I'm counting on developers with smart ideas ;-) - according to the motto, where there's a will or big enough need, there's a way. Seriously: As a user all I know I had a session duration setting in Contao 3, now I have a really neat modern Contao version without it.

I can only change a few settings, not session.gc_maxlifetime e.g..

What is the reasoning behind this? Can you please ask your hosting provider for an explanation?

It's Ionos shared hosting. I'll ask.

fritzmg commented 1 year ago

Seriously: As a user all I know I had a session duration setting in Contao 3, now I have a really neat modern Contao version without it.

The behaviour would be the same in Contao 3. This PHP setting applies to all PHP applications.

fritzmg commented 1 year ago

Seriously: As a user all I know I had a session duration setting in Contao 3, now I have a really neat modern Contao version without it.

The behaviour would be the same in Contao 3. This PHP setting applies to all PHP applications.

I was wrong about that - Contao 2/3 did in fact implement its own database based session storage (while still using the PHP session ID).

In Contao 4+ your only option is to increase gc_maxlifetime or configure a different session storage. See

ausi commented 1 year ago

I read through the documentation of Symfony session and it seems that it is possible to overwrite gc_maxlifetime in the session config: https://symfony.com/doc/current/reference/configuration/framework.html#gc-maxlifetime

@Anke can you please try if it works for you if you add the following to your config/config.yaml

framework:
    session:
        gc_maxlifetime: 7200
Anke commented 1 year ago

Okay, I'll try and report here. Probably tomorrow, though. Would be great!

EDIT: Seems to be working! Thank you! EDIT 2: Oder doch nicht. Eben war ich eine knappe Std. nicht am Rechner, der schon in den Standby gegangen war. Da war ich dann wieder raus aus dem BE.