I have cakephp site, I was having problem that was after being idle for about >= 1 hour it gets log-out automatically
so I googled to extend timeout for that I wrote the following in core.php
Configure::write('Session', array(
'defaults' => 'php',
'timeout' => 28800, // 8 hours.
)
);
I want to keep a logged in user logged-in even after being idle for less than 8hours
but this is not working
how can I sort out this?
According to CakePHP manual, the unit of Session.timeout option is "minute", so 8 hours should be 60*8=480
Regarding the setting not work, I think maybe you could try to clean the cakePHP cache files / restart web server or change the debug level to 2 for troubleshooting?
CakePHP 2.0 manual sessions
May be you are using CakePHP 3, that is why you are facing this issue. Session timeout does not work in CakePHP 3, You might use cookie_lifetime, please check https://github.com/cakephp/cakephp/issues/5664
I had the same problem in CakePHP 1.3
The problem was that CakePHP was using the settings defined in php.ini instead of the one I was defining in core.php
So I had to change in core.php:
Configure::write('Session.save', 'php');
to
Configure::write('Session.save', 'cake');
And it worked like a charm!
Related
I'm on Laravel 5.7 and trying to get it so that my session expires and logs me out after 2 minutes.
In my session.php file i did:
'lifetime' => 2,
'expire_on_close' => false,
I will then leave my computer for example like 15 minutes, come back, refresh, and I'm still logged in?
Can you tell me why and how to fix it. Many thanks.
Ok I've figured it out.
The reason is I'm using Auth::logoutOtherDevices in Login function, and this function automatically generates the remember me cookie.
Thank you guys so much.
update .env file
SESSION_LIFETIME=2
From the docs the lifetime looks like it is in seconds so the lifetime would be
SESSION_LIFETIME=120 and not 2.
Edit: Please could you try set the option:
'expire_on_close' => true,
This will force the session to expire on browse close.
I found a potential answer to your issue here: Laravel - Auth Session not expiring after browser close
It sounds like it could be a chrome problem.
Try your solution on firefox to see if it is a chrome issue.
Have a read of that thread i linked.
Please make sure to check with your configurations.
In Session.php set lifetime to your desired time for session expiration.
Also in upgraded versions of laravel session lifetime is not set hard anymore, instead it takes from .env file.
You can try below configurations.
In your config/session.php
'lifetime' => env('SESSION_LIFETIME', 2),
And set below key in your .env file
SESSION_LIFETIME=2
Recently I moved my cakephp site from a hosting service to an other. The page was working like a charm, but now I'm having the issue, that my sessions randomly drop.
I'm on a shared hosting service, so I changed cake's session defaults from php to cake, now my sessions are saved to my tmp/sessions folder. (but it wasn't working with php either)
Followed my session's way with Firebug:
When i log into the page, i have a Sessionid, and in the tmp/sessions folder i have the corresponding sess_{sessionid} file too.
After a few clicks on some pages (totally random) my sessionid changes and i'm "logged out".
The session file with which i've logged in, remained in the directory.
My session settings in core.php right now:
Configure::write('Session', array(
'defaults' => 'cake'
));
I'm using the 2.3.8 version of Cake.
Update:
Finally i found the problem thanks to Nick. I checked the Cakephp error files, and found out that i only got logged out, when i visited a page containing an element, which was not on the server ( eg a picture was missing). So i went to Firebug, and check what the Net tab says. On the new Host service i got a 404 Not Found response AND a new session id set in the response, whilst on the other servers i tested the page, i simply got a 404 Not Found. If i randomly generate links to not existing files like (domain/test.jpg) i get the same results.
Try these settings, in Firefox you can install the web develop extension, then you can view your cookie to see if it is all set correct.
Configure::write('Session', array(
'defaults' => 'php',
'cookie' => 'yourdomain',
'timeout' => 44640,
));
Check any components that you are using for whitespace (usually at the end of the file).
I came across this recently whilst helping a client with their existing CakePHP site, when logged in one particular page that called a component was killing $this->Session->read(‘Auth’).
There is a CakePHP shell that you can use to find whitespace.
i am working on a Cakephp 2.x ... i am using auth component ... the problem write now is that the session automatically expires after some minutes.. i mean if the user does nothing then CakePHP logs them out after some period...i want to make the session time forever unless he click the logout button ..i dont know how to to do this .. any help would be greatly appreciated
Here's my config code:
Configure::write('Session', array(
'defaults' => 'php'
));
I think the problem is that you're using the default php sessions and they are configured (in php.ini) to expire sooner than you want to. See.
If you want your logins to live forever it's probably better to use cookie based login. See this plugin for instance.
I recently switched over to Cake2.0, and was having some issues with Sessions timing out much sooner than they should.
Copying the example from the documentation, I set the session type to php, and set the timeout to 3 days (4320 mins). However, after reading various articles, it seems that even after setting the timeout to 3 days in Cake, PHP may destroy the session in GC if PHP.ini is set with a shorter timeout for the session or GC.
So, I changed the Session default to cake, with the same timeout.
Configure::write('Session', array(
'defaults' => 'cake',
'timeout' => 4320,
));
Configure::write('Security.level', 'medium');
However, while this should leave me logged in for 3 days, I find I barely get 3 hours before I need to log in again.
Is there an issue with Session timeouts that I should be aware of, or is the timeout in seconds (not minutes?) or is it being influenced by the Security.level like in 1.3? I haven't been able to find any hard documentation about how this works in 2.0, or what could be causing the issues.
Thanks in advance.
Answer:
For anyone coming in later and seeing this. There is a bug in 2.0.5 where the Session timeout was not saving the value in Config.write();
To solve, update to 2.0.6 (or 2.1 when it leaves beta)
If you are using the security component, you can always try changing the expiration on them to 3 hours as well:
$components = array(
'Security' => array(
'csrfExpires' => '+3 hour'
)
);
I am not saying this is a good idea to do, but it could help you narrow down the problem. If you are using the Security component, this is probably the issue.
Also, the Session.timeout is in minutes (not seconds).
I need to keep Security.level set on medium for Ajax reason.
But I want that If the user close browser his session will destroy.
How can I do that?
Thanks in advance!
Config/core.php
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout' => 0, //Lives until the browser is closed.
'checkAgent' => false //To fix a little the Chrome Frame problem
));
Unless you're persisting session data (ie: storing session data in a cookie with an expiration date in the future), then the session should be destroyed when the user closes the browser.
Unfortunately I'm not familiar with the CakePHP framework so I cannot comment on its API. However, if you want to explicitly end a session you can do so in PHP with session_destroy().
Hope that helps.
You could remove the session cookie with JS when the page is closed (remember: page close is also triggered when the user just navigates away - maybe just to the next page of yours).
i guess you could fire on ajax command on page unload to call session_destroy()
http://book.cakephp.org/view/1317/destroy for CakePHP - but yes, CakePHP does set a proper session cookie which is deleted by the browser when it closes.
What you really are probably concerned about is session hijacking - and so you really want some kind of a logout on site closure. You can't do this - the best alternative method that I know of is:
A short session timeout with an "Are you there?" AJAX refresh - the timeout can be controlled independently of the security level now using Configure::write('Session.timeout', $seconds);, where for medium security level the timeout seconds are multiplied by 100. Banks use this method.