Author Topic: session never expired (Read 5015 times)

wolfgao · « **on:** September 05, 2009, 05:49:42 AM »

the session in my roundcube never expired after logged in, nothing happened after the expire time. Next is my setting in main.inc.php.

$rcmail_config['keep_alive'] = 300;
$rcmail_config['min_keep_alive'] = 60;
$rcmail_config['session_lifetime'] = 10;

Is there something wrong in the setting? What should i do with it?

rosali · « **Reply #1 on:** September 07, 2009, 03:22:11 AM »

#1 - session_lifetime should be greater than keep_alive/60 ... your is equal
#2 - normally the session does not expire because the keep_alive request is sended before the session expires.

wolfgao · « **Reply #2 on:** September 07, 2009, 08:32:54 PM »

thanks for reply.
but in my setting keep_alive/60 is 5, less than session_lifetime

vimalkumar · « **Reply #3 on:** January 05, 2010, 03:47:55 AM »

I'm also having the same problem. I installed Roundcube 0.3.1 and my Session never Expired. So, after i installed Roundcube 0.2 stable surprisingly this session is also not Expired .

I'm not changed the Config on both 0.3.1 and 0.2:
$rcmail_config['session_lifetime'] = 10;
$rcmail_config['min_keep_alive'] = 60;
$rcmail_config['keep_alive'] = 60;

I've tried the [PATCH] Add option to avoid un-necessary updates to the session table.

But no use at all,

Finally, I saw the session table in the Database which keep's updating 'Changed' field (every 1 min). I think that's why the session never expired.

rosali · « **Reply #4 on:** January 05, 2010, 06:40:33 AM »

Please open a ticket @ trac.roundcube.net.

IMO, the current behavior is not what admins/users expect. The session will never time out due to check recent requests. I think automatically fired requests should not renew the session.

rosali · « **Reply #5 on:** February 22, 2010, 09:22:25 AM »

Here is a small plugin which should do the job. There is one disadvantage I can't solve. If check for recent messages is triggered manually then it does not be considered as a human activity. There is no way I see to detect a difference between automatically fired and manually fired check recent requests.

Just create a folder 'session_timeout' in plugins dir and save the code in there as session_timeout.php. Don't miss to register the plugin.

<?php

/**
* Session timeout on human inactivity
*
* @version 1.0 - 22.02.2010
* @author Roland 'rosali' Liebl
* @website http://myroundcube.googlecode.com
* @licence GNU GPL
*
**/

/**
* Usage: http://mail4us.net/myroundcube/
*
**/

class session_timeout extends rcube_plugin
{
  public $task = '?(?!login|logout).*';

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();
    if($args['action'] == "keep-alive" || $args['action'] == 'check-recent'){
      if(!empty($_SESSION['keep_alive']) && ((time() - $_SESSION['keep_alive']) / 60) > $rcmail->config->get('session_lifetime')){
        rcube_sess_destroy(session_id());
        $rcmail->output->redirect(array('_task' => 'logout'));
      }
    }
    else{
      $_SESSION['keep_alive'] = time();
    }
    return $args;
  }
}
?>

Should we make it have a user option to enable/disable this plugin?