Open jefft opened 2 hours ago
The problem is that PHP has its own session timeout mechanism based on the session.gc_maxlifetime
configuration option. Jethro is not setting session.gc_maxlifetime
to reflect SESSION_TIMEOUT_MINS
.
The PHP session.gc_maxlifetime
default is only 1440 seconds (24 minutes). On Debian, the session cleanup is done every 30 minutes by a script (see this discussion), so in practice you session can be inactive between 24 and 54 minutes before the PHP session cleaner wipes it.
The associated PR fixes this. Alternatively one can edit the global php.ini
file (e.g. /etc/php/7.4/fpm/php.ini
) and set session.gc_maxlifetime
to equal to or larger than SESSION_TIMEOUT_MINS*60
, e.g. 14400
for 240m (4h) of inactivity as in the screenshot.
Jethro has a 'Session Timeout Mins' system configuration option that claims to determine how long a user can be inactive for, before they need to log in again:
It isn't working though. Sessions expire after about 1h of inactivity. This can be seen by logging the
X-JethroSession
response header (added in https://github.com/tbar0970/jethro-pmm/pull/851):For one particular user, the session changes (indicating a timeout) after about an hour of inactivity: