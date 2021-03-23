Session token expiring

PHP
#1

I have a project in which all forms send a token, this token is saved in the session and the two are compared when the form is handled to make sure they match.

Everything is working well except that after 60 minutes, the session token gets reset.
I have tried to change the session duration through session.gc_maxlifetime but this didn’t work, and I do generally prefer that the session remain 1 hour.

At the moment I have an ajax request that is targeted towards a file that is used just for session refreshing, this ajax request runs every 45 minutes.
The purpose is to refresh the session every 45 minutes so that it does not expire after 60 minutes, but it is expiring anyway, so something is not working.

I think my issue is the session codes I have set up, but I cant figure out the actual issue, here is the code i use at the beginning of every page, which is also in the session refresh page:

session_refresh.php

//Start the session if not started already
if (session_status() == PHP_SESSION_NONE) {
	session_start();
	session_regenerate_id();
}

//Set a session start time
if (!isset($_SESSION['session_start_time'])) {
	$_SESSION['session_start_time'] = date('d-m-y, H:i:s');
}

//Create a session token
if (!isset($_SESSION['token']) || empty($_SESSION['token'])) {
    $_SESSION['token'] = bin2hex(random_bytes(32));
}

Here is the JS code I use, I have tested this and it does return the session when tested, but after 60 minutes, the token is different:

$(function(){
        setInterval(function(){
            $.get("session_refresh.php", function(data){
                // console.log(data);
            });
        }, 2700000);
    });
 });
#2

Surprised it’s 60 minutes, to be honest.

PHP sessions by default time out after 15 minutes. You’ve set a timer for 45 minutes.

Every call to the page should be invoking session_start(), if you want the session to persist. “start” is a bit of a misnomer, as it starts a new or resumes an existing session.

Any session that wants to be persisted must call the refresh page on a timer lower than PHP’s configured session.gcmaxlifetime [default = 1440 seconds] or session.cookie_lifetime if cookies are used [default = 0, which is translated as ‘until the browser is closed.’].

There is no need to regenerate an ID that has been created microseconds earlier with session_start.

#3

I think I set it to 60 because of this specific issue, I tried to make it longer, but its still not working as well as it should since I cant seem to extend the session.
Once its all working though I will change it back to 15 minutes as I don’t need it to be longer than that really.

I removed session_regenerate_id(), but I still don’t have a fix to the issue.

The session max lifetime is set to 60 minutes, and I set the timer for the ajax script for every 45 minutes, that should extend the current session every 45 minutes, right?