Session lifetime is ignored

This is what I do. Am I using Aura wrong? The lifetime doesn't seem to go beyond 1hr, no matter what I do. It feels like I'm using it wrong, based on this lifetime issue that I'm having. Though, I did follow the documentation to the best of my knowledge.

Initiate session when needed:

public function session() {
	if (!isset($this->_session)) {
		$session_factory = new SessionFactory;
		$this->_session = $session_factory->newInstance($_COOKIE);
		$this->_session->resume();
	}
	return $this->_session;
}

Trying to set a session w/ lifetime in the login action:

if (login($email, $password) {
	$this->session()->setCookieParams(array(
		'lifetime' => (
			// for instance, two days.
			60*60*24*2
		),
		'path' => '/',
	));

	$segment = $this->session()->getSegment('MyProject');
	$segment->set('identity', '…');

	// don't know if this is necessary.
	$this->session()->commit();

	// redirect …
}

Load stored value from session on next page request:

// load user from session, if any.
$segment = $this->session()->getSegment('MyProject');
$user_id = $segment->get('identity');

The identity value is stored, but it gets automatically cleared after (I think) one hour – neither after two days, nor upon restarting the browser.

PHP version 7.2.19-0ubuntu0.18.04.2
Apache/2.4.29 (Ubuntu)
aura/session 2.1.0 (installed via Composer)

If I dump the session.cookie_lifetime value at various places, I can see that it is indeed set right before the redirect, but then 0 again on the next page request. I'm not really sure if all the other session variables are set properly … I'm not very familiar with session management.

session.auto_start	Off
session.cache_expire	180
session.cache_limiter	nocache
session.cookie_domain	no value
session.cookie_httponly	no value
session.cookie_lifetime	0
session.cookie_path	/
session.cookie_secure	0
session.gc_divisor	1000
session.gc_maxlifetime	1440
session.gc_probability	0
session.lazy_write	On
session.name		PHPSESSID
session.referer_check	no value
session.save_handler	files
session.save_path	/var/lib/php/sessions

session.serialize_handler		php
session.sid_length			26
session.upload_progress.cleanup		On
session.upload_progress.enabled		On
session.sid_bits_per_character		5
session.upload_progress.freq		1%
session.upload_progress.min_freq	1
session.upload_progress.name		PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix		upload_progress_

session.use_cookies		1
session.use_only_cookies	1
session.use_strict_mode		0
session.use_trans_sid		0

Can someone please teach me how to use Aura correctly?

According to the php manual session_set_cookie_params must be called before starting the session.

you need to call session_set_cookie_params() for every request and before session_start() is called.

The session() method should be like this.

    public function session() {
        if (!isset($this->_session)) {
            $session_factory = new SessionFactory;
            $this->_session = $session_factory->newInstance($_COOKIE);
            $this->_session->setCookieParams(array(
                'lifetime' => (
                    // for instance, two days.
                    60*60*24*2
                ),
                'path' => '/',
            ));
            $this->_session->resume();
        }
        return $this->_session;
    }

Also, in development, when testing session functionality, it is a good idea to set the value of session.gc_probability to the same value as session.gc_divisor so that gc always works.

These things may or may not be related to the first question where the session disappears, but I think that need to be corrected.

public function session() {
	if (!isset($this->_session)) {
		$session_factory = new SessionFactory;
		$this->_session = $session_factory->newInstance($_COOKIE);
		$this->_session->resume();
	}
	return $this->_session;
}

This session method calls resume, so if a session cookie is included in the request, it will start the session at the time of the call.

So if you update the session cookie when the request contains a session cookie, e.g. regenerateId, the value of session.cookie_lifetime would be used.

In 2.1.0, if you call setCookieParams on a session that has started as described above, this library does nothing.

Aura.Session/src/Session.php

Lines 478 to 488 in 7d2f7d4

    
           public function setCookieParams(array $params) 
        
           { 
        
               $this->cookie_params = array_merge($this->cookie_params, $params); 
        
               $this->phpfunc->session_set_cookie_params( 
        
                   $this->cookie_params['lifetime'], 
        
                   $this->cookie_params['path'], 
        
                   $this->cookie_params['domain'], 
        
                   $this->cookie_params['secure'], 
        
                   $this->cookie_params['httponly'] 
        
               ); 
        
           }

In 4.x, a SessionAlreadyStarted exception is thrown.

Aura.Session/src/Session.php

Lines 487 to 489 in 64f07d7

    
           if ($this->isStarted()) { 
        
               throw new SessionAlreadyStarted(); 
        
           }

Sorry for the delay in answering @WoodrowShigeru.

Thank you @koriym , @NaokiTsuchiya for your answers. I am closing this for now. In case if there is any issue, we can re-open it.

	public function setCookieParams(array $params)
	{
	$this->cookie_params = array_merge($this->cookie_params, $params);
	$this->phpfunc->session_set_cookie_params(
	$this->cookie_params['lifetime'],
	$this->cookie_params['path'],
	$this->cookie_params['domain'],
	$this->cookie_params['secure'],
	$this->cookie_params['httponly']
	);
	}

	if ($this->isStarted()) {
	throw new SessionAlreadyStarted();
	}