Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

SessionManager doesn't call rememberMe() automatically #59

Open
olegkrivtsov opened this issue Sep 29, 2016 · 4 comments
Open

SessionManager doesn't call rememberMe() automatically #59

olegkrivtsov opened this issue Sep 29, 2016 · 4 comments
Labels
question

Comments

@olegkrivtsov
Copy link

Trying to figure out how to use sessions in ZF3, I've found that SessionManager doesn't use the configuration I pass. For example, I configure it as follows:

    // Session configuration.
    'session_config' => [
        'remember_me_seconds' => 60*60,  // Session will expire in 1 hour.
        'name'                => 'zf3',    // Session name.
    ],
    // Session manager configuration.
    'session_manager' => [
        // Session validators (used for security).
        'validators' => [
            RemoteAddr::class,
            HttpUserAgent::class,
        ]
    ],
    // Session storage configuration.
    'session_storage' => [
        'type' => SessionArrayStorage::class
    ],

However, SessionManager never use remember_me_seconds parameter unless I manually call its rememberMe() method. But, I expect it to call it automatically when session is started. Is this a bug?
@froschdesign
Copy link
Member

But, I expect it to call it automatically when session is started. Is this a bug?

I do not think so, because this behaviour is not documented and also not implemented.

@olegkrivtsov
Copy link
Author

It seems I found a solution: to use cookie_lifetime and gc_maxlifetime options instead of remember_me_seconds. I do not understand why we need remember_me_seconds options, because it doesn't affect anything neither in SessionManager nor in StandardConfig nor in SessionConfig. Is it deprecated? I couldn't find clear explanation from documentation why we need this option.

@adamlundrigan
Copy link

"Remember me" is an optional function of the session manager which you must invoke manually if you wish to use it. All it does is extend the session cookie lifetime; the timing of server-side session gc is unaffected so sessions don't actually "live" longer.

the thing to note is that session data is still subject to garbage collection based on session.gc_maxlifetime regardless of the rememberMe time set on a cookie. Calling Zend_Session::rememberMe() has no effect on garbage collection for that data.

(ref: http://stackoverflow.com/a/9539452)
(it's a ZF1 reference but principle is the same)

IMO it's not a useful function in it's present state. If you want to remember a user in this way and ask them to re-authenticate on a future visit you're best off implementing a separate cookie aside from the PHP session cookie for that.

@adamlundrigan adamlundrigan mentioned this issue Oct 1, 2016
Open
@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
@weierophinney
Copy link
Member

This repository has been closed and moved to laminas/laminas-session; a new issue has been opened at laminas/laminas-session#14.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weierophinney @froschdesign @adamlundrigan @olegkrivtsov