3

I am building a web application with Symfony3, Nginx, PHP7. For authorization i created a TokenAuthenticator class that extends AbstractGuardAuthenticator. I can authenticate with a token and logout manually.

If i don't logout manually the session seems to last forever. I want the app to invalidate any sessions when the browser is closed. All users should re-authenticate if it is a new browser session.

The session persists and i am not asked to re-authenticate even when i have restarted nginx, php fpm and cleared cache from cmd line.

My TokenAuthenticator has this method:

public function supportsRememberMe()
{
    return false;
}

config.yml:

session:       
    handler_id:  session.handler.native_file
    save_path: "/var/lib/php/sessions/%kernel.environment%"
    cookie_lifetime: 0

security.yml:

main:
    guard:
        authenticators:
            - app.token_authenticator
    logout:
        path: logout
        target: /
        invalidate_session: true

    anonymous: false

php.ini:

session.cookie_httponly On  On
session.cookie_lifetime 0   0
session.cookie_path /   /

How do i remove/destroy the session/cookie(PHPSESSID) when the browser is closed?

there must be a simple trick to do this.

Edit:

Got a good explanation in this answer on why on the dev server the session mostly never expires https://stackoverflow.com/a/1505596/1249820

Community
  • 1
  • 1
aGurung
  • 71
  • 6

1 Answers1

2

Solved this by setting session.gc_probability = 1 in php.ini, the default was 0. The php cronjob /etc/cron.d/php to clear sessions runs every 30 mins 

09,39 * * * *  root [-x /usr/lib/php/sessionclean] && /usr/lib/php/sessionclean

Verfiy that the cronjob has executed:

`grep CRON /var/log/syslog | tail`
aGurung
  • 71
  • 6