OWASP/phpsec

Session expires even when user is active

rash805115 opened this issue · 4 comments

While doing RNJ, I noticed that session expires after 30 min, even if the user is active. 30 min is the inactivity time.

When I backtraced this, I found that inactivity time is calulated by the time that the session cookie was created. Now, every time the user is doing something, the initial time is not changed, hence after every 30 min, the session expires.

Solution: In the session database, we have to keep updating "last_activity" whenever we get any request from user.

PS: Refreshing the cookie is not an option because then we won't be able to tell when the session must "age" which by default is 1 week.

Have you fixed it already? Or can I have a look at it?

NO..I haven't fixed it..

On Sat, Oct 26, 2013 at 6:33 PM, Paulo Guerreiro
notifications@github.comwrote:

Have you fixed it already? Or can I have a look at it?


Reply to this email directly or view it on GitHubhttps://github.com//issues/78#issuecomment-27157307
.

Regards,
Rahul Chaudhary
Ph - 412-519-9634

I guess you have solved this issue @rash805115