ZF2: How to implement session timeout and a session fixation fix

Question

I want my sessions to expire after 30 minutes of inactivity however when I set this up, my users are getting logged out randomly, even though they may have had only a few seconds of inactivity. I think the problem lies with regenerating the session ID.

My understanding is that, to get the desired effect, I need to configure remember_me_seconds in my session to 1800. Then in my bootstrap, after I call $sessionMgr->start(), I need to call $sessionMgr->rememberMe().

rememberMe() calls regenerateId(), and I think this is where the problems lie. I think that if the browser fires off two requests in quick succession, the first request is processed and the session id is updated on the server. When the second request is received by the server it still carries the old session id, which is no longer recognised, so the server treats you as if you were logged out. Does this sound possible? I think it must be, since I can simulate the problem by calling regenerateId() directly (instead of calling rememberMe())

So, the question then is how should I implement my desired solution? As far as session timeout goes, I could store the 'last access' time in my session and compare it with the current time whenever a request is received. But this would make the rememberMe() functionality redundant. And as for regenerating the id to avoid session fixation, I can't see how I could do this effectively. There will always be situations when there are multiple browser requests in quick succession, so the possibility that the server will be out of synch...

Answer 1

For the session timeout you could do the following. I have this in a class that every controller extends and this timeout method runs on every request. Also, the timeout value is initially set upon login.

/**
 * If user is inactive for 5 minutes, log them out.
 * 
 * @return void | Zend\Mvc\Controller\Plugin\Redirect
 */
protected function timeout()
{
    // User Active so reset time session. (5minutes)
    // Note: (I'm using $this->identity which is basically an Auth object)
    // but would work the same way as $_SESSION['timeout']
    if ($this->identity->timeout + 300 > time()) 
    {
        $this->identity->timeout = time();
    } 

    // session timed out, logout user
    // this routes to the location of destroying the session, etc.
    else 
    {   
        return $this->redirect()->toRoute('logout', array());
    }       
} 

Also, if you're wanting to auto-logout the user without them having to refresh the page then you'd probably want to use AJAX to check the timeout value after (n) seconds to be reset.

Preventing session fixation: I haven't implemented it yet in ZF2. However I did in ZF1, and it worked fine with no problems. I know that really doesn't give you an answer but I would assume something along the same lines would also work in ZF2.

Random logouts: I've seen in some applications where this was fixed by changing some of the session properties in the php.ini file. In another application, I'm currently using ZF2's rememberMe($time) with no issues.

It might also be helpful to see how you're setting session storage options and initializing the session namespace object. In Zend\Session\Container notice the doc block that reads:

/**
 * Session storage container
 *
 * Allows for interacting with session storage in isolated containers, which
 * may have their own expiries, or even expiries per key in the container.
 * Additionally, expiries may be absolute TTLs or measured in "hops", which
 * are based on how many times the key or container were accessed.
 */

So something like this:

$this->session = new SessionContainer($this->namespace, $manager);

And setting rememberMe:

$this->session->getManager()->rememberMe($time);

Hopefully that points you in the right direction.

Answer 2

OK, so I was coming at this from the wrong angle. I had presumed that "remember me" and "cookie lifetime" were designed to help with session timeout. As this question makes clear, How do I expire a PHP session after 30 minutes?, I should be implementing my own solution.

Furthermore, after reading this article, http://phpsec.org/projects/guide/4.html, I can see that I only really need to regenerate the session ID when the user logs in or out.