Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SessionManager doesn't call rememberMe() automatically #14

Open
weierophinney opened this issue Dec 31, 2019 · 3 comments
Open

SessionManager doesn't call rememberMe() automatically #14

weierophinney opened this issue Dec 31, 2019 · 3 comments
Labels
Question Further information is requested

Comments

@weierophinney
Copy link
Member

Trying to figure out how to use sessions in ZF3, I've found that SessionManager doesn't use the configuration I pass. For example, I configure it as follows:

    // Session configuration.
    'session_config' => [
        'remember_me_seconds' => 60*60,  // Session will expire in 1 hour.
        'name'                => 'zf3',    // Session name.
    ],
    // Session manager configuration.
    'session_manager' => [
        // Session validators (used for security).
        'validators' => [
            RemoteAddr::class,
            HttpUserAgent::class,
        ]
    ],
    // Session storage configuration.
    'session_storage' => [
        'type' => SessionArrayStorage::class
    ],

However, SessionManager never use remember_me_seconds parameter unless I manually call its rememberMe() method. But, I expect it to call it automatically when session is started. Is this a bug?

Originally posted by @olegkrivtsov at zendframework/zend-session#59
@weierophinney weierophinney added the Question Further information is requested label Dec 31, 2019
@weierophinney
Copy link
Member Author

But, I expect it to call it automatically when session is started. Is this a bug?

I do not think so, because this behaviour is not documented and also not implemented.

Originally posted by @froschdesign at zendframework/zend-session#59 (comment)

@weierophinney
Copy link
Member Author

It seems I found a solution: to use cookie_lifetime and gc_maxlifetime options instead of remember_me_seconds. I do not understand why we need remember_me_seconds options, because it doesn't affect anything neither in SessionManager nor in StandardConfig nor in SessionConfig. Is it deprecated? I couldn't find clear explanation from documentation why we need this option.

Originally posted by @olegkrivtsov at zendframework/zend-session#59 (comment)

@weierophinney
Copy link
Member Author

"Remember me" is an optional function of the session manager which you must invoke manually if you wish to use it. All it does is extend the session cookie lifetime; the timing of server-side session gc is unaffected so sessions don't actually "live" longer.

the thing to note is that session data is still subject to garbage collection based on session.gc_maxlifetime regardless of the rememberMe time set on a cookie. Calling Zend_Session::rememberMe() has no effect on garbage collection for that data.

(ref: http://stackoverflow.com/a/9539452)
(it's a ZF1 reference but principle is the same)

IMO it's not a useful function in it's present state. If you want to remember a user in this way and ask them to re-authenticate on a future visit you're best off implementing a separate cookie aside from the PHP session cookie for that.

Originally posted by @adamlundrigan at zendframework/zend-session#59 (comment)

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weierophinney