extend session time out

Closed
Advanced Security - PHP Register/Login System Advanced Security - PHP Register/Login System February 05, 2021
Login to reply
Milos Stojanovic Support Agent
7 months ago

Hey Shane,

I'm glad it's working for you and thanks for sharing the instructions on how you did it. I'll make your ticket public so anyone can see it.

Kind regards,
Milos

Shane Rushik
7 months ago

This is the work around I came up with, and I'm pretty happy with the result. You may want to share this with others who have the same challenge as I was seeing. I used cookies to track if the last social login was successful. If it was, then auto-redirect the user to the socialauth.php specifying the same provider as last time. like this...

I set two cookies to auto-authenticate when a user returns to the site. One cookie holds the social provider that the user used to authenticate. The other indicates if the last social login was successful.

When returning to the login page, if the previous social login was successful, it will redirect the user to the socialauth.php with the provider name. Just the same as if the user clicked on the social icon to sign in. The socialauth.php script clears the cookie "auth-success" as a reset. If the social login is successful, the "auth-success" is set to true for next time.

This is how I did that, maybe others will find this helpful.

=================
step 1 (socialauth.php):

I added this cookie to socialauth.php (above the switch ($provider) statement:

---------------------------
setcookie("auth-type", $provider, time() + (86400 * 30), "/");
setcookie("auth-success", '', time() + (86400 * 30), "/");
---------------------------

auth-type: is the name of the social provider used
auth-success: is set to true, if logged in successfully using that provider
auth-success is reset or cleared when the socalauth.php script is run.


=================
step 2 (index.php):

in the /index.php file, I added this code to set auth-success=true if logged in successfully
---------------------------
if (isset($_COOKIE["auth-type"])) setcookie("auth-success", 'true', time() + (86400 * 30), "/");
---------------------------


=================
step 3 (login.php):

in the login.php file, I added this code to redirect to the socialauth.php

---------------------------
if (isset($_COOKIE["auth-success"]) && isset($_COOKIE["auth-type"])) {
 $authProvider = $_COOKIE['auth-type'];
 $href="socialauth.php?p=" . $authProvider . "&token=" . $token;
 header("Location: $href");
}
---------------------------

If the cookie "auth-success" is true, get the the provider from "auth-type", and redirect to socialauth.php
It is essentially the same as clicking on the button to do the socalauth.php, but it does it automatically for the user.


=================
step 4 (logout.php):

In the logout.php file, I clear the auth-success cookie so redirected to the login.php file, the user is not auto-redirected to the socialauth.php. The user can choose a different login type.

---------------------------
setcookie("auth-success", '', time() + (86400 * 30), "/"); // 86400 = 1 day
---------------------------


Shane Rushik
7 months ago

Thanks for the reply. 

Setting session.save_path I see the session file written into the new temp folder, but it throws a 500 error at login 

This is the error

====================================================================
PHP Fatal error: Uncaught Hybrid_Exception: You cannot access this page directly. in /vendor/hybridauth/hybridauth/hybridauth/Hybrid/Endpoint.php:125

Stack trace:
#0 /vendor/hybridauth/hybridauth/hybridauth/Hybrid/Endpoint.php(51): Hybrid_Endpoint->processAuthStart()
#1 /vendor/hybridauth/hybridauth/hybridauth/Hybrid/Endpoint.php(72): Hybrid_Endpoint->__construct(Array)
#2 vendor/hybridauth/hybridauth/hybridauth/index.php(15): Hybrid_Endpoint::process()
#3 /socialauth_callback.php(6): require_once('/home/a7ix9nkf7...')
#4 {main}
  thrown in /vendor/hybridauth/hybridauth/hybridauth/Hybrid/Endpoint.php on line 125
====================================================================


The website is hosted on GoDaddy and I suspect this error has something to do with access permissions on the server side.

Milos Stojanovic Support Agent
7 months ago

Hey Shane,

Your "lifetime" parameter should be the session lifetime in seconds, so no need to use time() to calculate it. Please check the following article for more info on how to configure it: https://milos.support-hub.io/articles/working-with-session#session-lifetime

However, the session lifetime is probably not something that's causing a logout problem. There are two more things to check:

1) Set LOGIN_FINGERPRINT to false in your ASConfig.php file: https://milos.support-hub.io/articles/advanced-security-configuration#login-configuration

2) If the above doesn't fix the problem, change the path where session files are stored. More info on how to do it can be found on this public ticket: https://milos.support-hub.io/tickets/683

Keep in mind that the folder you choose for storing session files should not be accessible over the internet for security reasons.

Kind regards,
Milos

Shane Rushik
7 months ago

A little more information, that I just realized would be important to include.

We are using the social login (FB/GMAIL), not the typical username/password.  Is it possible using the social login expires the session differently than it does when logging in with a username/password.

Thanks,

Shane Rushik
7 months ago

pretty much every time the page is loaded, we have to log in.  I cannot get the login session to last more than a few minutes.  Looking at other support threads, I edited the ASSession.php file with a longer lifetime for the cookie, but that doesn't seem to help. 

Is there something you can suggest to help me keep the login session active?  

This is what I edited:
==========================================================
    public static function startSession()     
   { 
        ini_set('session.use_only_cookies', SESSION_USE_ONLY_COOKIES); 
        $cookieParams = session_get_cookie_params(); 
        $cookieParams["lifetime"] = time() + 3600*24*7; 
         session_set_cookie_params( 
            $cookieParams["lifetime"], 
            $cookieParams["path"], 
            $cookieParams["domain"], 
            SESSION_SECURE, 
            SESSION_HTTP_ONLY 
        ); 
       session_start(); 
   }
==========================================================