Session Timeout Ignored

Hi, I have built a number of CakePHP (v3) applications over the years and have never seemed to get the session timeout to work. It seems like it always just ignores whatever I put there and it just defaults to 1440 or whatever.

My most important application employs a custom session handler with AWS DynamoDB. CakePHP’s config.session.timeout is 90, and php ini_get returns 5400 (90 minutes) for session.gc_maxlifetime. So it should be 90 minutes as currently set but it’s logging out at ~24 minutes.

How do I even debug this? If anyone has an actual fix, that’d be great too, but I don’t even know where to start debugging.

Thanks!

What’s the expiry time on the session cookie that gets sent to your browser?

Hmmm, looking at this in firefox, it just says

Expires:“Session”

I was unaware that this existed

That’s the default for cookies, they’ll last until the browser is closed. (In multi-tab scenarios, maybe until the last tab for the site is closed. I’m not sure. I never use that type of cookie.) This shouldn’t be the source of your problem, at least.

Well that’s good I guess.

Dug a little bit further but still haven’t found the issue. I doubt it’s a cakephp bug because then it would have been discovered by now

You said

Is that a test you’re doing in the code being run by your web server? Many setups have different php.ini files for command line vs web server, so if you’re getting that value from the command line, it might not mean anything at all for processes run by the server.

Is that 5400 coming from your ini file, or being set somewhere in your code? If the latter, any chance it’s being set after the session is expired by some earlier bit of code?

Does the value 1440 appear anywhere else in your ini file, that might somehow have some knock-on effect?

Hmmm, I don’t think it’s being set in the code anywhere other than where I guess CakePHP sets it. But this gives me an idea of something to check. Will report back once I look into it. Thanks for the idea!