Search code examples
phpsessionzend-framework2session-fixation

ZF2: How to implement session timeout and a session fixation fix


I want my sessions to expire after 30 minutes of inactivity however when I set this up, my users are getting logged out randomly, even though they may have had only a few seconds of inactivity. I think the problem lies with regenerating the session ID.

My understanding is that, to get the desired effect, I need to configure remember_me_seconds in my session to 1800. Then in my bootstrap, after I call $sessionMgr->start(), I need to call $sessionMgr->rememberMe().

rememberMe() calls regenerateId(), and I think this is where the problems lie. I think that if the browser fires off two requests in quick succession, the first request is processed and the session id is updated on the server. When the second request is received by the server it still carries the old session id, which is no longer recognised, so the server treats you as if you were logged out. Does this sound possible? I think it must be, since I can simulate the problem by calling regenerateId() directly (instead of calling rememberMe())

So, the question then is how should I implement my desired solution? As far as session timeout goes, I could store the 'last access' time in my session and compare it with the current time whenever a request is received. But this would make the rememberMe() functionality redundant. And as for regenerating the id to avoid session fixation, I can't see how I could do this effectively. There will always be situations when there are multiple browser requests in quick succession, so the possibility that the server will be out of synch...


Solution

  • OK, so I was coming at this from the wrong angle. I had presumed that "remember me" and "cookie lifetime" were designed to help with session timeout. As this question makes clear, How do I expire a PHP session after 30 minutes?, I should be implementing my own solution.

    Furthermore, after reading this article, http://phpsec.org/projects/guide/4.html, I can see that I only really need to regenerate the session ID when the user logs in or out.