Session timeout is set to an hour, but is only realistically ~24min on CWP

[madmatt]

https://github.com/silverstripe/cwp-core/blob/master/_config/config.yml#L12 sets the session timeout for SilverStripe sessions to be one hour (3600 seconds), however PHP settings on CWP itself are not changed from the default value of 24mins (1440 seconds).

This means that while we set sessions and their cookies to expire after an hour, PHP is cleaning up these sessions after just 24mins, meaning that nobody gets to use a session with more idle time than 24mins.

It would make sense to set this value to 1440 to match PHP settings so it's not confusing to users.

Additionally, we could add documentation around how to increase this value, which consists of doing two things:

1. Overriding the YML config value with an updated value (e.g. 7200 for 2hrs)
2. Adding php_value session.gc_maxlifetime 7200 to .htaccess

PRs

• [x] #47 - Config update
• [x] silverstripe/cwp#148 - Docs

[ScopeyNZ]

This still won't work on environments that have a cron that clears sessions (as they usually check what's set in php.ini for gc_maxlifetime) - debian does this. We should ensure documentation indicates that php.ini configuration should be correct in those cases.

[madmatt]

Great point, I forgot that crons do it that way, that's rather unfortunate... it would be great to have a way to specify this somehow, but that's beyond the scope of what cwp-core can do, so maybe the best bet is to just change the value in config.yml to be 1440 to match with the defaults.

[dhensby]

It's also important to make sure people don't have the impression that increasing this value will do anything if the php.ini setting isn't changed.

[ScopeyNZ]

Raised some PRs at #47 and silverstripe/cwp#148