Session Expires Quickly

[rafecolton]

Hello,

I am using the Gaurd with the following arguments:

new \Slim\Csrf\Guard('csrf', $_, function(Request $request, Response $response, $next) {
  return $response
    ->withStatus(400)
    ->withHeader('Content-type', 'text/plain')
    ->write('Security check failed. Please refresh the page.');
}, 200, 16, true));

I have users reporting that when they leave the page sit 30–60 minutes, the CSRF check fails on the next API request. I have been able to reproduce this on Mobile Safari on iOS. As far as I know, nothing is killing the session, as the user is still logged in. Any idea why this would be happening? I don't see anything in the code about how long to keep the tokens, so I would expect them to last as long as the session.

[C0kkie]

Any news on that? I have sometimes the same problem

[C0kkie]

Nobody? :O

[l0gicgate]

I’m not familiar with this lib. @akrabat @geggleto?

[akrabat]

I have no clue why that would happen as the code doesn't do anything clever. I think that the session is being expired either by PHP or by the Linux distro's cleanup code.

[C0kkie]

The thing is, the session is still present as in the first post written @akrabat

[akrabat]

@C0kkie I don't know how to help. I can't see anything in the source related to timing out as it just uses $_SESSION.

Logically $_SESSION must no longer have the info in it. The obvious ways that this could happen is if PHP gc'd the session or the storage limit was reached. The storage limit is 200, so maybe raise it to 1000 and see if that solves it? If it does, you should work out what is causing your user to make 199 requests to the site before submitting the form they are supposed to be filling out.

[C0kkie]

What variables is the limit in the php ini?

[akrabat]

What variables is the limit in the php ini?

If you mean storage limit, it's a constructor parameter to Guard.

[C0kkie]

I will set it 1000 and will see if that solves it,

[C0kkie]

Looks like it didnt helped to set it to 1000, users still complaining about it

[akrabat]

Not that then. You'll have to debug it. Can you reproduce on your staging environment?

[C0kkie]

Mostly yes, if i wait a hour or something like that

[C0kkie]

But not really a idea how to debug that shit :D

[C0kkie]

a higher session.gc_maxlifetime solved my problem, it was because the session got deleted while someone filled a form

[l0gicgate]

Thanks for the update @C0kkie. Closing this as resolved