Session Lifetime of 0 (zero) Behaves Differently on PHP 8 - Expires Immediately

stefangabos / Zebra_Session

A drop-in replacement for PHP's default session handler which stores session data in a MySQL database, providing better performance, better security and protection against session fixation and session hijacking

https://stefangabos.github.io/Zebra_Session/Zebra_Session/Zebra_Session.html

Other

172 stars 85 forks source link

Session Lifetime of 0 (zero) Behaves Differently on PHP 8 - Expires Immediately #45

Closed switchroyale closed 1 year ago

switchroyale commented 1 year ago

Hi there, I'm a big fan of Zebra Session and have been using it for quite some time now with no issues until now. The servers I use are being transitioned to PHP 8 and I noticed that my settings, specifically the Session Lifetime setting, no longer works as it has on PHP 7. My current setup looks like this:

$session = new Zebra_Session(
    $link, // Database Connection
    'sEcUr1tY_c0dE', // Security Code
    0, // Session Lifetime
    true, // Lock to User Agent
    false, // Lock to IP
    '', // Garbage Collection Probability
    '', // Garbage Collection Divisor
    'session_data', // Database Table Name
    60 // Session Lock
);

On PHP 8, a Session Lifetime of 0 (zero) seems to expire immediately. I could make the Session Lifetime greater than zero but my goal is to essentially not have sessions expire unless the browser is closed. Any suggestions?

chimpmysite commented 1 year ago

Hi @stefangabos,

I agree with @switchroyale after upgrading to PHP8.

I use both Zebra_Database and Zebra_Session in my CMS software, both fantastic PHP classes. Unfortunately after upgrading to PHP8 my sessions expire immediately. I've spent a whole day debugging my code only to find that out. Previous versions on PHP7 worked fine!

$session = new Zebra_Session($link, 'sEcUr1tY_c0dE');

I'm looking at your code but can't find what's wrong. Default value is 0 if not specified. Gonna try a value.

stefangabos commented 1 year ago

I can't find anything related to this and I am almost certain that I have it somewhere running on PHP 8 it is maybe some setting in you php.ini used for PHP 8 that impacts this somehow i'll keep digging but feedback is appreaciated

chimpmysite commented 1 year ago

Hi @stefangabos,

So I can confirm that making a change to the session lifetime in your Zebra_Session class appears to fix my issue within PHP 8.1. PHP 7.4 works ok with 0 (zero), however PHP 8.1 definitely expires sessions immediately with 0. Here are my working PHP 8.1 settings...

$session = new Zebra_Session(
  $link, // Database Connection
  'sEcUr1tY_c0dE', // 2nd var is a random security code and part of a hash to preventing session hijacking
  1440, // Session Lifetime
  true, // Lock to User Agent
  false, // Lock to IP
  60, // Lock Timeout
  DB_PREFIX.'_sessions', // Table Name
  true, // Start Session
  false // Read Only
);

I've done extensive research into this issue but can't find a solution when allowing default session lifetime of zero.

stefangabos commented 1 year ago

Guys, this is now fixed. Please download latest again. Thanks for reporting and keeping this thread alive

chimpmysite commented 1 year ago

Hi @stefangabos,

Will do and thank you for your prompt response :)