Bug 8538 - There is an undocumented hard-coded limit of 24 minutes on PHP session lifetime
Summary: There is an undocumented hard-coded limit of 24 minutes on PHP session lifetime
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard: MGA3TOO, MGA2TOO
Keywords:
Depends on: 10997
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-28 19:24 CET by Steve Havelka
Modified: 2013-08-30 19:53 CEST (History)
3 users (show)

See Also:
Source RPM: php-session
CVE:
Status comment:


Attachments

Description Steve Havelka 2012-12-28 19:24:39 CET
Description of problem:

The script at /usr/lib64/php/maxlifetime, which is used by /etc/cron.d/php to delete old/expired sessions, has a hard-coded limit of 24 minutes.  This script then disregards any PHP session lifetime (session.gc_maxlifetime) value greater than 24 minutes, but this limit isn't documented or explained anywhere.

This limit should be well-documented or removed.
Manuel Hiebel 2013-01-01 18:42:59 CET

CC: (none) => luigiwalser, oe, oliver.bgr

Comment 1 David Walser 2013-08-17 18:50:19 CEST
Confirmed, and easy to fix.  /usr/lib/php/maxlifetime just needs to look at /etc/php.ini, in addition to, or instead of /etc/php.d/*_session.ini.

Considering the only file matching that wildcard is 47_session.ini from php-session, which just contains:
extension = session.so

I'd think it'd be fine to just have the script look at php.ini.

In the php package source, this script is SOURCES/maxlifetime.

Oden, could we fix this for the next set of php updates?

Version: 2 => Cauldron
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 2 Oden Eriksson 2013-08-19 16:16:14 CEST
This comes from debian and solved an issue years and years ago. However, after looking at the specific problem you should be able to define session.gc_maxlifetime in /etc/php.d/47_session.ini like so:

echo "session.gc_maxlifetime = 2880" >> /etc/php.d/47_session.ini

Then after running /usr/lib64/php/maxlifetime it will say 48

Is this good enough?
Comment 3 David Walser 2013-08-19 16:40:35 CEST
Sure that works as a workaround, but why not fix the script in our package to read from the correct file?
Comment 4 Oden Eriksson 2013-08-19 17:17:00 CEST
Because (In reply to David Walser from comment #3)
> Sure that works as a workaround, but why not fix the script in our package
> to read from the correct file?

Because there are four possible ini files that could contain different settings.

/etc/php-cli.ini
/etc/php.ini
/etc/php-cgi-fcgi.ini
/etc/php-fpm-fcgi.ini

All these will use /etc/php.d/47_session.ini.
Comment 5 David Walser 2013-08-19 17:22:56 CEST
OK.  Being that this script works globally, it should be running at the max of the settings in all of those files.  Why not have it at least read those files and use the max setting from them, rather than assuming the sysadmin is going to copy the right value to 47_session.ini?
Comment 6 Oden Eriksson 2013-08-19 17:26:02 CEST
(In reply to David Walser from comment #5)
> OK.  Being that this script works globally, it should be running at the max
> of the settings in all of those files.  Why not have it at least read those
> files and use the max setting from them, rather than assuming the sysadmin
> is going to copy the right value to 47_session.ini?

Because this is the first time anyone notice or file a bug report about it.

But sure, I can add this value in /etc/php.d/47_session.ini and also correct the "documentation" in /etc/php.ini
Comment 7 David Walser 2013-08-19 17:31:17 CEST
You could, but wouldn't it be easier to fix the script?  That would seem to make more sense, and be better for syadmins too.
Comment 8 Oden Eriksson 2013-08-19 17:40:06 CEST
fixed in r467724, r467725, r467726
Comment 9 Oden Eriksson 2013-08-19 17:47:57 CEST
(In reply to David Walser from comment #7)
> You could, but wouldn't it be easier to fix the script?  That would seem to
> make more sense, and be better for syadmins too.

It will not be so easy since there is no way to tell what interpreter is used, and/or which php*ini file is used. /usr/bin/php is not /usr/bin/php-cgi, nor is it /usr/sbin/php-fpm or /usr/lib64/httpd/modules/mod_php.so. All of them can be installed at the same time and also being used differently.
Comment 10 David Walser 2013-08-19 20:23:09 CEST
(In reply to Oden Eriksson from comment #9)
> (In reply to David Walser from comment #7)
> > You could, but wouldn't it be easier to fix the script?  That would seem to
> > make more sense, and be better for syadmins too.
> 
> It will not be so easy since there is no way to tell what interpreter is
> used, and/or which php*ini file is used. /usr/bin/php is not
> /usr/bin/php-cgi, nor is it /usr/sbin/php-fpm or
> /usr/lib64/httpd/modules/mod_php.so. All of them can be installed at the
> same time and also being used differently.

Right, but that doesn't matter.  The script just runs regardless of which you're using, or what your settings are.  Like I said before, it should just use the max of any of them.
David Walser 2013-08-23 12:43:08 CEST

Depends on: (none) => 10997

Comment 11 David Walser 2013-08-30 19:53:24 CEST
Fixed in the update for Bug 10997:
http://advisories.mageia.org/MGASA-2013-0264.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.