Hi,
I do have to come back to the session topic.
My cookie lifetime is set to one month (ok for my low traffic site).
Session cookies are stored in the browser and in the session directory /var/lib/php5/sessions/.
So the cookie looks like this:
kirby_session 26vnpd1ia9rmb397n7adb2u0r5 my.domain / 14. August 2035 um 18:06:18 MESZ 39 B âś“ âś“
I can find an appropriate session in the directory:
Kirby has its own internal expiration system for the Panel. Have you set the panel.session.timeout setting to anything special? It defaults to 1440 minutes (one day).
Just as a ps:
However I am not sure if it is the cookie lifetime, which needs adjusting:
I have four cookies on my site:
kirby_session_auth aefbddc42ccd593690b8ce2499c918b540ea1a06%2BPDBDY3GD6RTnQ1Jht5Wm77ZV7c7wROfERcpmLwQpsV8xe4ugMZxqCp1iiUbtNkaO mydomain.me / 14. August 2035 um 18:33:14 MESZ 125 B âś“ âś“
kirby_session v680ge96flg0savscdqnohd767 mydomain.me / 15. August 2035 um 01:28:57 MESZ 39 B âś“ âś“
_pk_ses.2.e625 * mydomain.me / 9. August 2016 um 15:19:53 MESZ 15 B
_pk_id.2.e625 6dc5ce6944cbf9b1.1465630908.23.1470746994.1470746472. mydomain.me / 9. Juli 2017 um 09:41:48 MESZ 66 B
Only the _pk_ses.2.e625 is only valid until today. However when I delete this cookie, it gets recreated on reload.
We are doing a 360 here. Cookie lifetime and Kirby’s internal timeout are two very different things.
The Panel sets the options on the s class using the options in panel.session.timeout and panel.session.lifetime.
Setting the values directly on s only works in the frontend, but once you login in the Panel, the Panel options are used instead.
So this in config.php should do the trick for all of it (up to now it seems to be working…)?
s::$timeout = 60*24*30; // thirty days of session validity like in the Panel
s::$cookie['lifetime'] = 9999999; // don't let the cookie ever expire
c::set('panel.session.timeout', 60*24*30);
c::set('panel.session.lifetime', 60*24*30);
I seem to be missing something. It does not work yet:
This morning I tried to access the site, and again login comes up ;-(
Session Cookie (and auth cookie) are available and valid.
kirby_session v4j5ki27h45flf40nnheu9bfg0 pegeleins.me / 15. August 2035 um 18:42:23 MESZ 39 B âś“ âś“
PHP sessions are not meant to be permanent, they are supposed to expire when you close your browser. Kirby just does not have a permanent “remember login” feature yet.
If the session and cookie are still there, that’s strange though. I don’t know why it doesn’t work then. If you find the issue, let me know, we will then try to fix it in Kirby.
I think I know what might cause the problem:
In the toolkit/s.php file there is an additional fingerprint check.
// check for an existing fingerprint and compare it
if(isset($_SESSION['kirby_session_fingerprint']) and $_SESSION['kirby_session_fingerprint'] !== static::fingerprint()) {
return false;
}
If I remove this it seems that I do not get logged out anymore.
What is the rationale behind this fingerprint? How risky would it be to leave it out?
Ah, that makes sense. The reason is probably that you got a new IP address, which makes the fingerprint change.
The fingerprint helps preventing session hijacking, so it’s pretty important for security. You may remove it however if you know what you are doing.
As I said: Kirby does not currently have a “persistent cookie” feature. Those sessions are meant to be actual sessions.
