Revise the session timeout value - Githubissues

ubc / iPeer

Peer Evaluation System

http://ipeer.ctlt.ubc.ca

Other

18 stars 18 forks source link

Revise the session timeout value #606

Closed kitsook closed 5 years ago

kitsook commented 5 years ago

The current Session.timeout value is set as 1200: https://github.com/ubc/iPeer/blob/c6da8fcedd4a720e6f097c8a608b9340e798c762/app/config/core.php#L171-L175

From the comment, it was intended to be 1200 seconds. However, according to the doc, the value is in minutes.

Also need to check the value of Security.level. This value is used in Cake 1.3.x to multiply the real session timeout value.

kitsook commented 5 years ago

Some findings:

the cookie timeout (in seconds) is calculated by Session.timeout multiplied by Security::inactiveMins() multipled by 60. Therefore, in current setup: 1200 300 60 = 21600000 seconds = 250 days

https://github.com/ubc/iPeer/blob/c6da8fcedd4a720e6f097c8a608b9340e798c762/cake/libs/cake_session.php#L484

the backend session data (stored in db as configured by IPEER_SESSION_SAVE) has an expires field in which the garbage collector will clear the data (effectively end the session). It is calculated by current unix time (in seconds) + Session.timeout multiplied by Security::inactiveMins(). With current setup: 1200 * 300 = 360000 seconds = 4.167 days

https://github.com/ubc/iPeer/blob/c6da8fcedd4a720e6f097c8a608b9340e798c762/cake/libs/cake_session.php#L757

$this->sessionTime is used to check if the session is still valid. The calculation is similar to expires. So for current setup it is around 4.167 days

https://github.com/ubc/iPeer/blob/c6da8fcedd4a720e6f097c8a608b9340e798c762/cake/libs/cake_session.php#L199

With CakePHP 2.3, Security.level (and hence Security::inactiveMins()) is not used anymore. Also, with CakePHP 2.x, Security.timeout is in minutes.