What is the default session expire time in Sinatra? - sinatra

If I did not explicitly set the session expire time in Sinatra, then what would be the default expire time?

The Sinatra session comes from Rack::Session; so out of the box it defaults to no expire. To override you can do something like follows.
set :sessions, :expire_after => 2592000

Related

How to specify the domain of cookie with Scala and Play

I want cookies which is set from test.domain.com to be set for .domain.com so that that it can still be used from anothertest.domain.com. Basically cookies should be shared between subdomains.
I called backend deployed at test.domain.com and set cookies with OK response as follows:
Ok("some response").withCookies(Cookie("id", id), Cookie("token", token))
And in application.conf I have set the session domain to ".domain.com"-
session {
\#Sets the cookie to be sent only over HTTPS.
\#secure = true
\#Sets the cookie to be accessed only by the server.
\#httpOnly = true
\#Sets the max-age field of the cookie to 5 minutes.
\#NOTE: this only sets when the browser will discard the cookie. Play will consider any
\#cookie value with a valid signature to be a valid session forever. To implement a server side session timeout,
\#you need to put a timestamp in the session and check it at regular intervals to possibly expire it.
\#maxAge = 300
\#Sets the domain on the session cookie.
domain = ".domain.com"
}
However, the cookie is being set for test.domain.com rather than .domain.com.
I want to use this cookie with anothertest.domain.com .
Can you please help me with this.
You don't have to change the configuration, you can add all attributes of a cookie when creating it.
Cookie("bla", bla).withDomain(xxx)
// Or
Cookie("bla", bla, domain = XXX)
(Not sure of exact name, I don't have documentation with me right now)

Unable to get idsrv cookie to timeout instead of be persistent

I have a problem where my idsrv cookie never seems to have a physical expiry time. So users on shared computers are logging in as each other because nobody appears to close their browser to kill this cookie.
Can someone please shed some light on what I should be doing?
You need to use persistent cookies to set the expiration, this will persist the cookie over browser sessions but also allow you to set the expiry. You don't mention which version of ASP.NET you're using but here's an example using aspnet core (the third parameter here must be true to persist the cookie):
var result =
await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, true);
There are other ways to sign in but one way or another you'll have an overload that will allow you to set the persistent flag.
Then elsewhere you need to set the expiry when setting up cookie options you can specify the expiry time, e.g. if using Asp.Net Identity:
services.AddIdentity<ApplicationUser, IdentityRole>(
o => o.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(30));
(Bear in mind that if you are on core and you upgrade to or use v2.0 you'll need to use services.ConfigureApplicationCookie instead, see here).
Of course this might not eliminate your users swapping machines within the expiration period but you can make the expiry small. What you can also do is use the SlidingExpiration flag alongside the expiry:
The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.
Meaning you can decrease the expiration time and so long as the user is still active they'll get new cookies. So the above code could be adjusted to:
services.AddIdentity<ApplicationUser, IdentityRole>(o =>
{
o.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Cookies.ApplicationCookie.SlidingExpiration = true;
});

Mojolicious session expires versus default_expiration

I have a program where I want the session data to expire at an absolute Epoch time after a request. I don't want the expiration to update for every request.
default_expiration works but not expires.
This does not work:
post '/access' => sub {
my $self = shift;
my $user = $self->param('username');
if ($self->authenticate($user, $self->param('password'))) {
### Set this otherwise timeout refreshes for every request...
$self->session(expires => time + 120);
(...)
}
};
Mojolicious cookie set to 1 hour (3600s) the default...
$self->sessions->default_expiration(120) works but reset for every browser request.
I am using the Mojolicious::Plugin::Authentication plugin.
You can use the expiration key to set the same value as the default_expiration does. Before you set the value though, be sure to check to see if the key exists already and don't overwrite it if it does.

Zend_Session_Namespace and setExpirationSeconds

I have problem for set a timeout on Zend_Auth Session this is my code :
$authSession = new Zend_Session_Namespace('Zend_Auth');
$authSession->setExpirationSeconds(60*60*24*1);
This code should make session expire after 1 day but actualy session expire after about 30 min. Anyone know what's wrong ? Thank you.
The default session.gc_maxlifetime value in php.ini which specifies the number of seconds after which session data will be seen as 'garbage' is 24 minutes.
Calling Zend_Session_Namespace::setExpirationSeconds() is an internal to Zend Framework and has no effect on the session cookie itself or the session data on the server.
Make sure to adjust your session.gc_maxlifetime value accordingly such that PHP won't delete the data before you want it to. You can set this directly in php.ini or you can use ini_set somewhere in your bootstrap, or from your ZF application.ini file, use something like resources.session.gc_maxlifetime = 864000
See also:
Paragraph 2 of persisted login with Zend_Session::rememberMe
How do I create persistent sessions in PHP?
Paragraph 4 of Zend Framework Automatic Logout after inactivity

Zend_Session and Expiration

I need to set a very short session (3 minutes) upon hitting a specific page on my site. If someone hits that page again during that 3 minute session, the session should update to expire 3 minutes from that time.
On my "bootstrap" (it isn't a typical Zend bootstrap, but it is included in every page), I do the following:
$aSessionSaveHandlerConfig = array
(
"name" => "Sessions",
"primary" => "Session_ID",
"modifiedColumn" => "UpdateTimestamp",
"dataColumn" => "Data",
"lifetimeColumn" => "Lifetime",
);
$oSaveHandler = new Zend_Session_SaveHandler_DbTable($aSessionSaveHandlerConfig);
$oSaveHandler->setLifetime(App::$ReservationTimeout)->setOverrideLifetime(true);
Zend_Session::setSaveHandler($oSaveHandler);
ini_set("session.cookie_lifetime",App::$ReservationTimeout);
$aSessionOptions = array
(
"gc_probability" => 100,
"gc_divisor" => 100,
"gc_maxlifetime" => App::$ReservationTimeout,
"cookie_lifetime" => App::$ReservationTimeout,
);
Zend_Session::setOptions($aSessionOptions);
Then within the page that should create/update the session, I have:
App::$ReservationSession = new Zend_Session_Namespace("ReservationSession");
$oSaveHandler = Zend_Session::getSaveHandler();
$oSaveHandler->setLifetime(App::$ReservationTimeout);
I see the records in the database, the lifetime column is correct, but if i repeatedly hit the page that creates/updates the session, I get a new Session ID after 3 minutes passes (and the other one gets removed after garbage collection.
It appears the problem is getting the cookie to update it's time. Any ideas?
To get the session cookie to update its expiration time, you can use Zend_Session::rememberMe() to change the default lifetime of the cookie. Calling rememberMe() will also cause Zend_Session::regenerateId() to be called which generates a new session ID, copies old session data to the new session, and sends a new session cookie to the browser.
Try the following code and see if it solves your problem:
App::$ReservationSession = new Zend_Session_Namespace("ReservationSession");
$oSaveHandler = Zend_Session::getSaveHandler();
$oSaveHandler->setLifetime(App::$ReservationTimeout);
// Call remember me which will send a new session cookie with 3 minute expiration
// from the current time. Old session data is copied to the new one and the old
// session is deleted
Zend_Session::rememberMe(App::$ReservationTimeout);
See the manual section on Session Identifiers for more information, or see also How to reset a Zend rememberMe function on each automatic login?
UPDATE:
Given your comment, I came up with this solution that you can use.
What this does is start your session as usual and then checks a value in the session to see if the user had an existing session.
If they do have an session, it uses setcookie() to send an updated session cookie using the existing parameters (including session id), except it sets the expiration to time() + $ReservationTimeout. If they did not have a session, then there is no need to update the cookie since the expiration is already correct and it will be updated on their next request (assuming they visit before it expires).
App::$ReservationSession = new Zend_Session_Namespace("ReservationSession");
$oSaveHandler = Zend_Session::getSaveHandler();
$oSaveHandler->setLifetime(App::$ReservationTimeout);
if (!isset(App::$ReservationSession->hasSession)) {
// user had no session before or it was expired
App::$ReservationSession->hasSession = true;
} else {
// user has a valid session, update the cookie to expire 3 mins from now
$params = session_get_cookie_params();
$expire = time() + App::$ReservationTimeout;
setcookie(session_name(),
Zend_Session::getId(),
$expire,
$params['path'],
$params['domain'],
$params['secure'],
$params['httponly']);
}
I tested the solution using the files session handler and it worked as expected, I think it should be fine for your situation as well.