Jump to content

Session storage and lifetime


Doc
 Share

Recommended Posts

Hi guys,

I'm trying to setup my first login form. Once connected the user will able to access the other part of the website.

I've read many topics about session from which I've learned a lot but I still can't figure if sessions are files based, database based or cookie based ?

I've read somewhere Ryan said he will add a database option, is it live ?

Perhaps a cookie is only set if a user is logged in ?

In the doc http://processwire.com/blog/posts/multi-instance-pw3/#more-session-control, it says :

"Session variables are currently stored with PHP's session functions with files in /site/assets/sessions/."

In that same doc, someone asks in the comments section how to get rid of sessions, he don't use them and don't want any cookies (perhaps regarding EU cookie law...).

(I've also read many threads where people had too much files in their sessions directories, apparently ubuntu related or Php garbage collector setting).

So does PW sessions set a cookie or not ?

Does someone here know what's the default lifetime of a PW session ?

Thanks !

 

 

Link to comment
Share on other sites

Default session lifetime is 86400 seconds. You can change this to any value you want.

// config.php
$config->sessionExpireSeconds = 86400;

Allow/ disallow sessions (and the wire cookie) under conditions. Remind that you need this to have access to the backend admin.

// config.php
$config->sessionAllow = true;

If you want to disable cookies only for the frontend

/**
 * config.php
 * if we would use cookies only for the admin area
 *
 */
$config->sessionAllow = function($session) {
    // if URL is an admin URL, allow session
    if(strpos($_SERVER['REQUEST_URI'], $session->config->urls->admin) === 0) return true;
    // if there is a session cookie, a session is likely already in use so keep it going
    if($session->hasCookie()) return true;    
    // otherwise disallow session
    return false;
};


If you want to use cookies respecting EU Cookie law I recommend Cans Module MarkupCookieConsent in combination with this settings.

/**
 * config.php
 * if we would use cookies only for the admin area
 *
 */
$config->sessionAllow = function($session) {
    // if URL is an admin URL, allow session
    if(strpos($_SERVER['REQUEST_URI'], $session->config->urls->admin) === 0) return true;
    // if there is a session cookie, a session is likely already in use so keep it going
    if($session->hasCookie()) return true;    
    // user accepted cookies due to EU law (Module MarkupCookieConsent)
    if(!empty($_COOKIE['eu-cookie'])) return true;
    // otherwise disallow session
    return false;
};

Use the core module SessionHandlerDB to store session vars in the database.

Learn more about session setting options and sessions by reading the comments in the files /wire/config.php or /wire/core/Session.php of your processwire installation.

 

  • Like 12
Link to comment
Share on other sites

  • 1 year later...

Hi guys,

On some instances of ProcessWire I'm finding that the cookies only for admin area or even 

$config->sessionAllow

Is not disabling the wire cookie on the front end. Does anyone know why this would be? I've tried switching to DB sessions too.

 

Thanks

Link to comment
Share on other sites

On 5/18/2018 at 12:33 PM, alexmercenary said:

On some instances of ProcessWire I'm finding that the cookies only for admin area or even 


$config->sessionAllow

Is not disabling the wire cookie on the front end. Does anyone know why this would be? I've tried switching to DB sessions too.

 

I can confirm this for version 3.0.98. It does something. If set to false, I cannot use the backend.

But at the frontend the cookies are still set.

I was wrong. It works nicely. The cookie I saw was not set by Processwire. Sorry.

Edited by Susticle
Link to comment
Share on other sites

Hmm well I'm slightly baffled... If I set it to false it does indeed disable login however a wire cookie and wire_challenge cookie are still set on the backend and on the frontend there is still a wire cookie being set?

Link to comment
Share on other sites

@alexmercenary, when I test it using the function proposed in the blog post that introduced $config->sessionAllow...

$config->sessionAllow = function($session) {

    // if there is a session cookie, chances are user is logged in
    if($session->hasCookie()) {
        return true;
    }

    // if requested URL is an admin URL, allow session
    if(strpos($_SERVER['REQUEST_URI'], '/processwire/') === 0) {
        return true;
    }

    // otherwise disallow session
    return false;
};

...then it works as advertised. That is, when I am not logged into the back-end there is no cookie set.

2018-05-23_203016.png.e740d698cfb92e8b4ba22b5b7b728ed3.png

Are you deleting any old cookies before you check for the cookie when not logged in?

Link to comment
Share on other sites

@Robin S @Susticle Apologies for my slow response.

It's very peculiar. I've just used a cookie checker as you did and it says that it isn't setting them however when I check in web inspector for this particular site and another, it still shows the cookies if I delete them and refresh, as if it has set a new one.

checked in Chrome and Firefox in private windows too.

Very bizarre.

Link to comment
Share on other sites

Ok, I found out what was going on and it's me being silly, nonetheless, hopefully this will help someone.

I use FormBuilder for some forms and by default CSRF is enabled for obvious reasons, but this relies on sessions to validate the form submissions and this adds info to the wire/s cookie.

If you need to disable cookies then make sure to check this on the form settings and then I would suggest enabling this if people accept the cookie policy.

Link to comment
Share on other sites

7 hours ago, alexmercenary said:

I would suggest enabling this if people accept the cookie policy.

Just so people don't prematurely jump to disabling useful security features: Having cookies enabled to allow for session storage or csrf protection can be justified as "legitimate interest" (Art. 6 GDPR), which means you no longer need explicit consent. You'll probably still need to document that justification in the privacy policy, though.

  • Like 2
Link to comment
Share on other sites

11 hours ago, LostKobrakai said:

Just so people don't prematurely jump to disabling useful security features

Yeah, totally agree, I don't think people should jump straight to this, it was more a suggestion for a circumstance where a client would like all cookies unset initially, allowing people to enable them.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...