search

tbar0970 / jethro-pmm

Jethro Pastoral Ministry Manager
GNU General Public License v3.0
35 stars 25 forks source link

Jethro sessions timing out too early #1088

Open jefft opened 2 hours ago

jefft commented 2 hours ago

Jethro has a 'Session Timeout Mins' system configuration option that claims to determine how long a user can be inactive for, before they need to log in again:

image

It isn't working though. Sessions expire after about 1h of inactivity. This can be seen by logging the X-JethroSession response header (added in https://github.com/tbar0970/jethro-pmm/pull/851):

LogFormat "%V:%p %a %{X-Jethro-Session}o %{X-Jethro-User}o %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" reqtime=%D uid=%{X-Jethro-UID}o" vhost_combined_timed

For one particular user, the session changes (indicating a timeout) after about an hour of inactivity:

root@server/var/log/apache2/jethro # cat access.log | awk '$4=="tom" { print $3, $5}' 
ue4p0 [24/Oct/2024:09:56:02
ue4p0 [24/Oct/2024:09:56:05
ue4p0 [24/Oct/2024:09:56:09
ue4p0 [24/Oct/2024:09:56:19
         1h 2m break
9ah0o [24/Oct/2024:10:58:24
9ah0o [24/Oct/2024:10:58:26
...9ah0o [24/Oct/2024:11:06:19
         1h 51m break
v3mrs [24/Oct/2024:12:57:40
v3mrs [24/Oct/2024:12:57:40
v3mrs [24/Oct/2024:12:57:40
v3mrs [24/Oct/2024:12:58:55
v3mrs [24/Oct/2024:12:58:57
         44m 26s break
haccr [24/Oct/2024:13:43:23
         33s break     <-- I can't explain this one
pllck [24/Oct/2024:13:43:56
pllck [24/Oct/2024:13:45:07
        2h 7m break 
lq32o [24/Oct/2024:15:52:52
jefft commented 2 hours ago

The problem is that PHP has its own session timeout mechanism based on the session.gc_maxlifetime configuration option. Jethro is not setting session.gc_maxlifetime to reflect SESSION_TIMEOUT_MINS.

The PHP session.gc_maxlifetime default is only 1440 seconds (24 minutes). On Debian, the session cleanup is done every 30 minutes by a script (see this discussion), so in practice you session can be inactive between 24 and 54 minutes before the PHP session cleaner wipes it.

The associated PR fixes this. Alternatively one can edit the global php.ini file (e.g. /etc/php/7.4/fpm/php.ini) and set session.gc_maxlifetime to equal to or larger than SESSION_TIMEOUT_MINS*60, e.g. 14400 for 240m (4h) of inactivity as in the screenshot.