- First commit to issue fork.
- Merge request !6843SessionHandler::read should update session timestamp instead of only during ::write → (Open) created by mohit_aghera
- 🇺🇸United States kentr Durango, CO
For me on
11.1.0(without the patch), thetimestampcolumn is updated on reads at the interval specified by$settings['session_write_interval'].Details of the mechanism ( credit to @znerol for this description 🐛 Session fixation for anonymous users - discard invalid session identifiers instead of accepting them Needs work ):
- Drupal core has the session_write_interval setting which defaults to
180seconds. - That setting is used in core MetadataBag to initialize its parent.
- The Symfony MetadataBag will update its timestamp when the update threshold is reached.
- When that happens, session metadata is changed and
SessionHandler:write()is called when the request terminates. - That in turn will also update the
timestampfield.
Note that this also happens for read-only requests because Symfony's
MetadataBag::initializeis also called when existing session data is loaded for the request.This test verifies that
timestampis updated on reads.Regarding logging users out at a shorter interval: for me it works as expected when I set
gc_maxlifetimeandcookie_lifetime, and do a cache rebuild. The existing cookie isn't cleared, though. It's only working for logins that occur after the settings are changed.So, the suggested change should not be necessary. It also looks like it writes to the DB after every read, which would have a performance penalty.
- Drupal core has the session_write_interval setting which defaults to