Skip to content

[WCM] Idle sessions expiration cookbook recipe. #4576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

[WCM] Idle sessions expiration cookbook recipe. #4576

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
73e54d9
Session expiration firewall documentation
ajgarlag Nov 15, 2014
a201929
Several fixes suggested by @xabbuh
ajgarlag Dec 3, 2014
aa4cf8e
Several improvements suggested by @WouterJ
ajgarlag Dec 19, 2014
d704138
Uppercase Session
ajgarlag Dec 19, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions book/security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2326,6 +2326,7 @@ Learn more from the Cookbook
* :doc:`Access Control Lists (ACLs) </cookbook/security/acl>`
* :doc:`/cookbook/security/remember_me`
* :doc:`How to Restrict Firewalls to a Specific Request </cookbook/security/firewall_restriction>`
* :doc:`/cookbook/security/session_expiration`

.. _`FrameworkExtraBundle documentation`: http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/annotations/security.html
.. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle
Expand Down
2 changes: 2 additions & 0 deletions cookbook/map.rst.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@
* :doc:`/cookbook/security/target_path`
* :doc:`/cookbook/security/csrf_in_login_form`
* :doc:`/cookbook/security/named_encoders`
* :doc:`/cookbook/security/session_expiration`

* **Serializer**

Expand All @@ -175,6 +176,7 @@
* :doc:`/cookbook/session/sessions_directory`
* :doc:`/cookbook/session/php_bridge`
* :doc:`/cookbook/session/limit_metadata_writes`
* (security) :doc:`/cookbook/security/session_expiration`

* **symfony1**

Expand Down
1 change: 1 addition & 0 deletions cookbook/security/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ Security
target_path
csrf_in_login_form
named_encoders
session_expiration
154 changes: 154 additions & 0 deletions cookbook/security/session_expiration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
.. index::
single: Security; Expiration of Idle Sessions

Expiration of Idle Sessions
===========================

To be able to expire idle sessions, you have to activate the ``session_expiration``
firewall listener:

.. configuration-block::

.. code-block:: yaml

# app/config/security.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

# config/packages/security.yaml instead of # app/config/security.yml

security:
firewalls:
main:
# ...
session_expiration: ~

.. code-block:: xml

<!-- app/config/security.xml -->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

# config/packages/security.xml

<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">

<config>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a blank line before this element (same below).

<firewall>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you forgot here the firewall name

<!-- ... -->
<session-expiration />
</firewall>
</config>

</srv:container>

.. code-block:: php

// app/config/security.php
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

# config/packages/security.php

$container->loadFromExtension('security', array(
'firewalls' => array(
'main'=> array(
// ...
'session_expiration' => array(),
),
),
));

To adjust the max idle time before the session is marked as expired, you can
set the ``max_idle_time`` option value in seconds. By default, the value of this
option is equal to the ``session.gc_maxlifetime`` configuration option of PHP.
The ``max_idle_time`` option value **should be less or equal** to the
``session.gc_maxlifetime`` value.

.. configuration-block::

.. code-block:: yaml

# app/config/security.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

# config/packages/security.yaml here

security:
firewalls:
main:
# ...
session_expiration:
max_idle_time: 600

.. code-block:: xml

<!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">

<config>
<firewall>
<!-- ... -->
<session-expiration max-idle-time="600"/>
</firewall>
</config>

</srv:container>

.. code-block:: php

// app/config/security.php
$container->loadFromExtension('security', array(
'firewalls' => array(
'main'=> array(
// ...
'session_expiration' => array(
'max_idle_time' => 600,
),
),
),
));

By default, when an expired session is detected, an authorization exception is
thrown. If the option ``expiration_url`` is set, the user will be redirected
to this URL and no exception will be thrown:

.. configuration-block::

.. code-block:: yaml

# app/config/security.yml
security:
firewalls:
main:
# ...
session_expiration:
expiration_url: /session-expired

.. code-block:: xml

<!-- app/config/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">

<config>
<firewall>
<!-- ... -->
<session-expiration expiration-url="/session-expired"/>
</firewall>
</config>

</srv:container>

.. code-block:: php

// app/config/security.php
$container->loadFromExtension('security', array(
'firewalls' => array(
'main'=> array(
// ...
'session_expiration' => array(
'expiration_url' => '/session-expired',
),
),
),
));

To detect idle sessions, the firewall checks the last used timestamp stored in
the session metadata bag. Beware that this value could be not as accurate as
expected if you :doc:`limit metadata writes </cookbook/session/limit_metadata_writes>`.