Advanced Security Sessions.

Closed
Advanced Security - PHP Register/Login System Advanced Security - PHP Register/Login System September 17, 2018
Login to reply
Milos Stojanovic Support Agent
2 months ago
Closed due to inactivity.
Milos Stojanovic Support Agent
3 months ago

Yes, that how you should set the session path. Of course, the "/var/www/sessions" folder has to be writable and when you check it there should be session files created by PHP.

Also, you said that you have changed the session expiration but I see that you are still using $cookieParams["lifetime"] instead of an actual number of seconds for which session cookie should be valid (like 86400 if you want the session to be active for 24 hours).

When you have things like this, you should not be logged out randomly for sure.

One other thing that can cause you problems is if you have LOGIN_FINGERPRINT set to true in your ASConfig.php file. When this value is set to true, AS will create a "fingerprint" which consists of your IP address and your browser information and check it whenever you call the ASLogin::isLoggedIn() method. The purpose of this is to prevent people who somehow stole your session cookie to continue using the app.

However, if your IP changes frequently, you will often be logged out and your session will be invalidated. So, if that's the issue in your case, then you will need to set this parameter to false so you can use the app properly.

- Milos

Maxim Levtov
3 months ago

So this is the code now in the ASSession.php

public static function startSession()

    {

        ini_set('session.use_only_cookies', SESSION_USE_ONLY_COOKIES);

        

        $cookieParams = session_get_cookie_params();

        session_set_cookie_params(

            $cookieParams["lifetime"],

            $cookieParams["path"],

            $cookieParams["domain"],

            SESSION_SECURE,

            SESSION_HTTP_ONLY

        );

        

        session_save_path('/var/www/session');

        session_start();

    }


It still seems to be randomly logging me out if I'm inactive for a bit. Upon it logging me out and I try to log back in I get "Invalid CSRF token.". I am then required to refresh the login page before I can log back in. The invalid CSRF token part makes sense to me but I'm not quite sure why I'm being logged out so quickly.

Milos Stojanovic Support Agent
3 months ago

Nope, that is not related to the path where session files are being saved.

Maxim Levtov
3 months ago

Would I need to change "$cookieParams["path"]"?

Milos Stojanovic Support Agent
3 months ago

Hey Maxim,

If you set the expiration time as explained inside the docs, the sessions should not expire after 5-10 mins for sure.

The only reason why this might happen is if your server is deleting session files automatically because, by default, they are located inside the the /tmp folder and some servers are configured to automatically delete files from this folder after some period of time.

I would recommend you to change the path where sessions are being saved and use some other path that is not accessible via HTTP. You can change the path where session files are saved by adding the following line of code just before the session_start();  line inside the ASSession::startSession method:

//...
session_save_path('/path/to/custom/folder');
session_start();

- Milos

Maxim Levtov
3 months ago

Hey Milos,

I've noticed my sessions are expiring after around 5-10 minuets of inactivity. I have followed the documentation and changed it to 24 hours (in seconds) in both the ASConfig and my php.ini.

Regards,

Matt