7

In my Symfony 3.4 application, the user is automatically logged out after a certain period of time. I want to change this behaviour and make my application never log out automatically. It should log out the session only when the user clicks on the logout link.

I have read the documentation and tried by setting the cookie_lifetime but it is not working for me. If anybody worked on this area please suggest how to proceed.

Updates:

I'm using this documentation page http://symfony.com/doc/master/components/http_foundation/session_configuration.html#session-lifetime

I'm using Symfony 3.4 flex based project.

I'm setting the configurations in config/packages/framework.yml. The configurations are as follows:

framework:
    session:
        handler_id: ~
        cookie_lifetime: 31536000
        gc_maxlifetime: 31536000
5
  • Can you provide a code example on what you tried so far? Especially how you've set the cookie_lifetime? Did you use this documentation page? symfony.com/doc/current/security/remember_me.html Mar 16, 2018 at 15:06
  • I have added more information Mar 16, 2018 at 15:12
  • Did you try out the link I provided? Seems like you also have to set up sth. in the firewall. Mar 16, 2018 at 15:48
  • @Musterknabe Nope, remember me is not needed in this case. I have answered my own question below. Mar 21, 2018 at 16:00
  • Ah, sorry, then I misunderstood you. You didn't want a remember_me function, you just wanted that the user is not getting logged out at all, correct? Mar 22, 2018 at 12:30

3 Answers 3

17

After a long debugging, I found out that the following configuration is telling Symfony to use the default PHP save handler and the default session file path.

framework:
    session:
        handler_id: ~

Hence Symfony session files are being stored in /var/lib/php/sessions directory. In Debian based operating systems, a cron job is deleting the session files every half an hour. This cron job is identifying the active sessions based on the PIDs associated with apache2 and updating the last accessed time and last modification time of these active session files only.

Then the same cron job is deleting the session files which are having the last modification time before the gc_maxlifetime i.e; inactive sessions. The main problem is that gc_maxlifetime is determined based on the php.ini files only but not considering the Symfony's .yaml files. Hence the configurations in Symfony's .yaml files are ignored and the PHP's gc_maxlifetime is used.

This makes the session files being deleted after 20 minutes to 30 minutes. To fix this problem, I have updated the .yaml configurations as follows:

framework:
    session:
        handler_id: session.handler.native_file
        save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
        cookie_lifetime: 31536000
        gc_maxlifetime: 31536000

Now the session files are not stored inside the default /var/lib/php/sessions directory and hence the cron job is not deleting the session files. Now Symfony is taking care of this session handling job and it works perfectly now.

0

This is the solution for symfony 4.

session:
        #handler_id: ~
        handler_id: session.handler.native_file
        save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'        
        cookie_lifetime: 1800 // was "lifetime" but deprecated
0

Just in case there's RedisSessionHandler configured for session storage, one should also consider increasing the ttl parameter passed into the service:

# config/services.yaml
services:
    # ...
    Symfony\Component\HttpFoundation\Session\Storage\Handler\RedisSessionHandler:
        arguments:
            - '@Redis'
            # you can optionally pass an array of options. The only options are 'prefix' and 'ttl',
            # which define the prefix to use for the keys to avoid collision on the Redis server
            # and the expiration time for any given entry (in seconds), defaults are 'sf_s' and null:
            - { 'prefix': 'my_prefix', 'ttl': 600 } # also set equal 31536000

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.