0

In my Cake 2 app I have the following code in APP/Config/core.php:

Configure::write('Session', array(
    'defaults' => 'database',
            'cookie' => 'mycookie',
            'timeout' => 4320 //3 days
));

This is working mostly as expected. The sessions are stored in the database, the cookie is named correctly and the cookie is deleted after 3 days.

I got the above example from http://book.cakephp.org/2.0/en/development/sessions.html#built-in-session-handlers-configuration

Unfortunately, this isn't exactly what I want. I want the cookie to be deleted after 3 days, but I want it to be 3 days after the last time the user was active on the site. In other words:

1) User visits site on Monday, cookie is set to expire Wednesday. However, he comes back on Tuesday so now the cookie will expire on Thursday.

2) User visits site on Monday and doesn't come back again until Thursday, so a new cookie has to be generated.

At first I thought that it might be a matter of adding Session.autoRegenerate but that doesn't seem to be of any help. Even with this set, the cookie still seems to suffer the same fate of being deleted after 3 days even if the user was active on the site for the entire 3-day period.

Joseph
  • 2,737
  • 1
  • 30
  • 56

1 Answers1

0

Since PHP auto renews the session cookie with each request, you should consider storing a separate timeout variable in the session and handle it in your /Controller/AppController.php file.

Something like this maybe.

/Controller/UsersController.php

public login() {
  if ($this->request->is('post')) {
        if ($this->Auth->login()) {
            $this->Session->write('Auth.timeout', strtotime('+3 days'));
            return $this->redirect($this->Auth->redirect());
        } else {
            $this->Session->setFlash(__('Username or password is incorrect'), 'default', array(), 'auth');
        }
    }
}

/Controller/AppController.php

public function beforeFilter() {
  if ($this->Auth->user() && $this->Session->read('Auth.timeout') <= strtotime('now')) {
    $this->Auth->logout();
    $this->Session->setFlash(__(Your session expired.'), 'default', array(), 'auth');
  }
}
jeremyharris
  • 7,884
  • 22
  • 31
  • That looks like a great way to ensure that the user gets logged out if they come back after 3 days of not having logged in, but it won't keep them logged when the cookie expires after 3 days of activity. Am I to assume that the only way to do this is to set the cookie to expire in some ridiculously far point in the future and then use your method to ensure that they have to re-authenticate after 3 days in inactivity? – Joseph May 31 '12 at 05:16
  • I think I misunderstood the problem (I thought you wanted to time them out after 3 days regardless of activity). If you have the session timeout set to 3 days, PHP should renew the expiry time each time the user is active. So it *should* work how you want it to without my suggestions. If it's *not* renewing, then that's another issue. – jeremyharris May 31 '12 at 14:05
  • Ok, thanks anyway for your help. I've downvoted the answer so that other people looking at this realize that no answers to my specific questions have been posted yet. Still, I think your answer should stay as it does contain useful info for other people looking to solve related problems. – Joseph Jun 01 '12 at 03:31