Session restore not always working

I do have to come back to the session topic.
My cookie lifetime is set to one month (ok for my low traffic site).
Session cookies are stored in the browser and in the session directory /var/lib/php5/sessions/.
So the cookie looks like this:

kirby_session	26vnpd1ia9rmb397n7adb2u0r5	my.domain	/	14. August 2035 um 18:06:18 MESZ	39 B	✓	✓

I can find an appropriate session in the directory:

pi@kirby /v/l/p/sessions ❯❯❯ cat sess_26vnpd1ia9rmb397n7adb2u0r5

But my browser/php/kirby does not connect these two together, so I have to re-login already after half an hour.


Kirby has its own internal expiration system for the Panel. Have you set the panel.session.timeout setting to anything special? It defaults to 1440 minutes (one day).

I have set

s::$timeout = 60*24*30; // thirty days of session validity like in the Panel
s::$cookie['lifetime'] = 9999999; // don't let the cookie ever expire

in my config.php

I will add

c::set('panel.session.timeout', 60*24*30);

However, my user login is for all users, not only for panel access. Might this be an addition “problem”?


Just as a ps:
However I am not sure if it is the cookie lifetime, which needs adjusting:
I have four cookies on my site:

kirby_session_auth	aefbddc42ccd593690b8ce2499c918b540ea1a06%2BPDBDY3GD6RTnQ1Jht5Wm77ZV7c7wROfERcpmLwQpsV8xe4ugMZxqCp1iiUbtNkaO	/	14. August 2035 um 18:33:14 MESZ	125 B	✓	✓

kirby_session	v680ge96flg0savscdqnohd767	/	15. August 2035 um 01:28:57 MESZ	39 B	✓	✓

_pk_ses.2.e625	*	/	9. August 2016 um 15:19:53 MESZ	15 B		

_pk_id.2.e625	6dc5ce6944cbf9b1.1465630908.23.1470746994.1470746472.	/	9. Juli 2017 um 09:41:48 MESZ	66 B		

Only the _pk_ses.2.e625 is only valid until today. However when I delete this cookie, it gets recreated on reload.

Aren’t all pk cookies set by piwik ?

Well, then these aren’t even relevant for kirby. And the other two expire in 2035. So why should I have to re-login?

We are doing a 360 here. Cookie lifetime and Kirby’s internal timeout are two very different things.

The Panel sets the options on the s class using the options in panel.session.timeout and panel.session.lifetime.
Setting the values directly on s only works in the frontend, but once you login in the Panel, the Panel options are used instead.

So this in config.php should do the trick for all of it (up to now it seems to be working…)?

s::$timeout = 60*24*30; // thirty days of session validity like in the Panel
s::$cookie['lifetime'] = 9999999; // don't let the cookie ever expire

c::set('panel.session.timeout', 60*24*30);
c::set('panel.session.lifetime', 60*24*30);

I think you don’t need the cookie lifetime options as the default is “never expires”.

I seem to be missing something. It does not work yet:
This morning I tried to access the site, and again login comes up ;-(
Session Cookie (and auth cookie) are available and valid.

kirby_session	v4j5ki27h45flf40nnheu9bfg0	/	15. August 2035 um 18:42:23 MESZ	39 B	✓	✓

Also in the session directory

pi@kirby /v/l/p/sessions ❯❯❯ cat sess_v4j5ki27h45flf40nnheu9bfg0

After login a new session is created and I can use the site w/o problems for some time.

Where could this go wrong?

PHP sessions are not meant to be permanent, they are supposed to expire when you close your browser. Kirby just does not have a permanent “remember login” feature yet.

If the session and cookie are still there, that’s strange though. I don’t know why it doesn’t work then. If you find the issue, let me know, we will then try to fix it in Kirby.

I think I know what might cause the problem:
In the toolkit/s.php file there is an additional fingerprint check.

// check for an existing fingerprint and compare it
    if(isset($_SESSION['kirby_session_fingerprint']) and $_SESSION['kirby_session_fingerprint'] !== static::fingerprint()) {
      return false;

If I remove this it seems that I do not get logged out anymore.

What is the rationale behind this fingerprint? How risky would it be to leave it out?


Ah, that makes sense. The reason is probably that you got a new IP address, which makes the fingerprint change.

The fingerprint helps preventing session hijacking, so it’s pretty important for security. You may remove it however if you know what you are doing.
As I said: Kirby does not currently have a “persistent cookie” feature. Those sessions are meant to be actual sessions. :slight_smile: