Session: cookie expires when data is not modified

[Savageman]

Hello there.

I've been noticing that the cookie of the session is not updated when we don't modify the session data. So it expires automatically, even when we continue visiting the application.

My use case is simple: when starting the application, the user is required to log in. The result is saved in session. I never touch the session again after that, I just read it. After 2 hours the user is required to log in again because expire_time is 72000.

I see 3 solutions here:

• refresh the cookie automatically;
• Add a config variable to enable this ;
• Or a Session::refresh_cookie() public method.

Cheers, Julian.

[WanWizard]

Do you autoload the session (in config.php, always load)?

If not, and you don't use a single session method, the session class is never loaded, so the shutdown event that updates the session is never registered.

So if your application uses sessions, always load the session class, or make sure your (base) controllers do.

FuelPHP doesn't load anything by default, this behaviour is by design.

[jschreuder]

@WanWizard just checked and it needs a setup section in the docs, or did I miss it?

[WanWizard]

What do you mean by "setup section"?

There might be another issue. The introductory text in the docs is a bit confusing. This:

When you have set the auto_initialize setting to true, the session will be loaded and initialized when the Fuel framework loads. If it is set to false, it will be loaded automatically as soon as you use one of the methods below.

is no longer true. You now HAVE to always_load the Session class to have this behaviour. If you don't always_load, no session will be started (and therefore not updated)

[jschreuder]

How one enables sessions in an application. Going over things like that Session needs to be loaded to keep the sessions alive (easiest solution to add it to always_load), using the auto_initialize setting and a reminder about the domain/path/httponly settings for cookies which are also important for how reliable sessions work.

[WanWizard]

Was already modifying the docs. I saw "cookie_http_only" is missing too...

[Savageman]

I'm not using always_load, but I always use it anyway.

From what I can see, the shutdown event you are talking about is only set when it's a new session.

I'm using the File driver, and I think the function that gets not called when i just read the session is _set_cookie(). It's only called when creating the session the first time and when writing the data. But I don't modify the data, so the session expires after a time, even if I'm using it. I guess... I didn't really drilled down into it for now. I was waiting some answers first. ^^

[WanWizard]

The event is registered in Session::forge(), for every session driver you instantiate. And it instantiates either when you use any session method, or when you always_load the class and auto_initialize is true (which creates the default instance for you).

It doesn't matter which Session method you use, they all need an instance to operate on.

The _set_cookie() method is called from the driver's write() method.

[Savageman]

I'll check what's happening and come back to you.

[WanWizard]

Did some tests with the file driver, but every time I send a page request to a controller method that only reads a session value, both the cookie and the session file is updated after the request. A Debug::dump() in _set_cookie() confirms that.

[Savageman]

Ok my bad. It's another issue related to a new feature in our app. I thought it was strange that the issue is coming just now.

Sorry to made you loose time on this. At least the doc got improved.

[WanWizard]

Ok, glad you got it sorted.