Disable reset of ttl on each request
ShytN1k opened this issue · 1 comments
Hi!
I figured out that session key's ttl is discarding on each request to it's initial value (3600 in the example). How can I disable this behavior?
Project config:
symfony/symfony: 4.4
snc/redis-bundle: 3.2.4
predis/predis: 1.1.7
framework.yaml:
session:
handler_id: snc_redis.session.handler
cookie_lifetime: 3600
snc_redis.yaml
snc_redis:
clients:
...
session:
type: predis
...
session:
client: session
I know that I can explicitly set ttl by snc_redis.session.ttl, but it has no changes to the reset of ttl.
Why is this a problem?
There can be a client (or bot) that logs in to the system, and repeatedly pings the server to indefinitely extend its session lifetime. The cookie expires is only respected by the browser, but it doesn't prevent the client from spamming the API with cURL requests. Each request resets the TTL and postpones the time until the session is actually destroyed from the cache.
Reproduce:
- Login.
- Check session key's ttl. It should be 3600 at the beginning.
- Refresh page.
- Check session key's ttl. It should be lower than 3600, but it is reset to 3600 again.
Mention please if it was fixed in later versions and I have to update bundle to a specific version.
Sorry, but we no longer support snc-redisbundle 3.x nor session implementation that used to be here