Giters

bcosca / fatfree

A powerful yet easy-to-use PHP micro-framework designed to help you build dynamic and robust Web applications - fast!

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SESSION COOKIE DOES NOT UPDATE EXPIRATION TIME

Ziggizag opened this issue · comments

commented

Hi,

In base.php function set($key,$val,$ttl=0) you set JAR with session_set_cookie_params($jar).

The side effect is session cookie expiration time, if initially set, is never updated with page reload and session eventually dies.

Please, consider plain setcookie(session_name(),session_id(), $jar) instead of session_set_cookie_params($jar).

Regards,

commented

No!
https://fatfreeframework.com/3.7/quick-reference#JAR
You must use JAR.lifetime = 86400 if you want the session to last 1 day.

commented

@mihailovs2000 Thank you for your feedback, but I spent entire afternoon trying to get this done (I am a FFF newbie) and finally decided to make my index.php like this:

require_once("vendor/autoload.php");

$f3 = Base::instance();

$config = $f3->config(DIR . '/config/config.ini');
$routes = $f3->config(DIR . '/config/routes.ini');

$db = new DB\SQL(
$f3->get('devdb'),
$f3->get('devdbusername'),
$f3->get('devdbpassword'),
[\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION]
);

$f3->db = $db;

if (php_sapi_name() === "cli") {
	$f3->set('CACHE', FALSE);
} else {
	$f3->set('ONERROR',function($f3) {
		$f3->set('view','error.htm');
		echo \Template::instance()->render('layout.htm');
	});
}

if (php_sapi_name() !== "cli") {
	ini_set('session.gc_probability', 100);
	ini_set('session.gc_divisor', 100);
	ini_set('session.gc_maxlifetime', $f3->SESSION_TIMEOUT);
	if ($f3->get('CACHE')) {
		// Only if chacheing enabled as Session is Cache based!
		$f3->session=new DB\SQL\Session($db,'sessions',TRUE);
		if (!$f3->get('SESSION.token')) {
			$token=bin2hex(random_bytes(12));
			$f3->set('SESSION.token', $token);
		}
		setcookie(session_name(), session_id(), [
			'expires' => time()+$f3->SESSION_TIMEOUT,
			'path' => '/',
			'domain' => '',
			'secure' => TRUE,
			'httponly' => TRUE,
			'samesite' => 'strict'
		]);
	} else {
		$f3->error(406, 'Cache is disabled!');
	}
}

$f3->run();

Only this solution has been proven working as expected.

The session token is being changed on reload due to precise customer request (I recommended it being regenerated once per session, but the customer objected).

Perhaps I was doing something wrong but I have already moved to another project, so I am not on the position to alter the code.

Thanks anyway!