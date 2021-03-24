Session token expiring

#1

I have a project in which all forms send a token, this token is saved in the session and the two are compared when the form is handled to make sure they match.

Everything is working well except that after 60 minutes, the session token gets reset.
I have tried to change the session duration through session.gc_maxlifetime but this didn’t work, and I do generally prefer that the session remain 1 hour.

At the moment I have an ajax request that is targeted towards a file that is used just for session refreshing, this ajax request runs every 45 minutes.
The purpose is to refresh the session every 45 minutes so that it does not expire after 60 minutes, but it is expiring anyway, so something is not working.

I think my issue is the session codes I have set up, but I cant figure out the actual issue, here is the code i use at the beginning of every page, which is also in the session refresh page:

session_refresh.php

//Start the session if not started already
if (session_status() == PHP_SESSION_NONE) {
	session_start();
	session_regenerate_id();
}

//Set a session start time
if (!isset($_SESSION['session_start_time'])) {
	$_SESSION['session_start_time'] = date('d-m-y, H:i:s');
}

//Create a session token
if (!isset($_SESSION['token']) || empty($_SESSION['token'])) {
    $_SESSION['token'] = bin2hex(random_bytes(32));
}

Here is the JS code I use, I have tested this and it does return the session when tested, but after 60 minutes, the token is different:

$(function(){
        setInterval(function(){
            $.get("session_refresh.php", function(data){
                // console.log(data);
            });
        }, 2700000);
    });
 });
#2

Surprised it’s 60 minutes, to be honest.

PHP sessions by default time out after 15 minutes. You’ve set a timer for 45 minutes.

Every call to the page should be invoking session_start(), if you want the session to persist. “start” is a bit of a misnomer, as it starts a new or resumes an existing session.

Any session that wants to be persisted must call the refresh page on a timer lower than PHP’s configured session.gcmaxlifetime [default = 1440 seconds] or session.cookie_lifetime if cookies are used [default = 0, which is translated as ‘until the browser is closed.’].

There is no need to regenerate an ID that has been created microseconds earlier with session_start.

#3

I think I set it to 60 because of this specific issue, I tried to make it longer, but its still not working as well as it should since I cant seem to extend the session.
Once its all working though I will change it back to 15 minutes as I don’t need it to be longer than that really.

I removed session_regenerate_id(), but I still don’t have a fix to the issue.

The session max lifetime is set to 60 minutes, and I set the timer for the ajax script for every 45 minutes, that should extend the current session every 45 minutes, right?

#4

I set the session length back to the default 1440 seconds, and i set the ajax interval to work every 10 minutes, but this isn’t helping, the session just isn’t being extended or refreshed.

#5

Did you change the code to always call session_start?

#6

You mean take it out of the session if statement?

I tried just having session_start without the if statement, but it actually gave me an error saying that a session has already started.

#7

That means something else is calling session_start. If something has already called session_start, you can’t call it again in the same page load.

#8

Then wouldn’t it be ok to keep it in the if statement? That way it is only started if it hasn’t already been started, no?

But in general, either way, session_start is being called every page load, so I’m not sure why the session isn’t refreshing.

#11

What is the value of session.cookie_lifetime? It sounds to me like the session might still be alive, but the cookie is gone, so the user can’t identify itself as the owner of the session anymore and thus a new session starts.

You can obtain this value using ini_get('session.cookie_lifetime').

#12

I see that ini_get('session.cookie_lifetime') is actually set to 0.

But, after further testing, i see the on a computer, the session is actually being refreshed, i updated the console output to show the current token, and the refresh time, and it was the same for a few hours:

So on a computer it seems to be working, but on a mobile phone it is not, the session is not being refreshed.

When i output ini_get('session.cookie_lifetime') it shows 0, but, now my question is why does it even work on the computer, and why doesn’t it work on a mobile phone?

To give a few more details about this, i have the website set up as PWA, and have installed it on my phone, when I leave it open for an hour or more, the form does not submit anymore because the tokens don’t match.

#13

I believe I figured out the issue, but I don’t know what the solution is.

On computers everything is working fine because the browser remains open and in a active state, even when not used, so the timer that calls the ajax request to refresh the session is always running, so the session is always refreshed.

On a phone though (through a browser or the PWA app - which is a browser basically), while it does work when the page is open, once you switch to another app, after a few minutes the page becomes not active, so the ajax timer stops running and the session does not get refreshed.
If you close the phone screen then it stops right away.

When you go back to the page, the interval timer will continue running.

This means the the interval timer will only run when the tab is active, which does make sense, but it means that if a user comes back to the tab at a later time, their session wasnt refreshed so the tokens wont match.

I think i need a way to detect if a user has “re-activated” the tab, and if so then to either refresh the session right away, or to just refresh the page.
Or to keep the interval timer working in the background somehow.

I wonder how other app handle this since switching between apps is a pretty normal and regular use type of thing.

(btw, I tested this by inspecting the phone element by connecting my phone to my computer with USB)

#14

I find it odd that it works with the Jquery ajax request on a computer. Most probably that is just due to low traffic to the server, resulting in low garbage collection.

Unless you pass the session id with the request, you are not guaranteed to get the same session id that you had in the last request. Since no one passes the session id by GET anymore (session hijacking), this means by a cookie.

Anyway, looking to solve this by polling in an attempt to keep the session alive is the wrong approach.

You could for example store a encrypted string in the cookie, which would automatically log the user back in (assuming it passes validation, again think hijacking and ensure you can secure against this).

Though these days, I would simply recommend that you setup a JWT authentication solution. That give you the benefit similar as above, where you can automatically login a user again within a set time range. I.e. for example within 6 hours since last activity etc.

Again, think hijacking as JWT is also vulnerable to that if not used properly.