View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
17709Bug reportsInstallationpublic2022-05-23 11:30
Reporterjpl166 Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.25.20 
Summary17709: Session timeout ignoring settings
Description

I'm running 3.27.6 build 210629 (not in the dropdown) on Debian 10. I've already configured table-based sessions and set my iSessionExpirationTime to 86400 seconds. When I originally did this, I was able to go in to the DB table, find my session cookie ID, and convert the epoch time stored in there to readable and see that my session would expire 24 hours from now. When I do those same steps today I see an expiration 24 minutes in the future, not 24 hours. I don't remember what version of LS I was running back when this worked, but I have definitely upgraded on two occasions since then. It worked in March of 2021, but I probably wasn't running the latest 3.x at that time. I have also checked that the iSessionExpirationTime is visible in the General settings and it is there with the correct 86400 value.

The default iSessionExpirationTime in config-defaults.php is 7200 seconds, which is still not 24 minutes. It seems that 24 minutes is the default timeout value from the Yii CHttpSession, as referenced www.yiiframework.com/doc/api/1.1/CHttpSession which I got to from the LS documentation.

Steps To Reproduce

Steps to reproduce

Open survey, take more than 24 minutes to fill it out without going to a subsequent page OR hitting a "restart later", then try to submit in any way (subsequent page, submit whole survey, restart later)

Expected result

Should work.

Actual result

Fails with a session timed out error.

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)3.27.6 build 210629 / 3.28.9 /5.3.13
I will donate to the project if issue is resolvedNo
Browserfirefox 100.0
Database type & versionMariaDB 10.3.31
Server OS (if known)Debian 10
Webserver software & version (if known)Apache 2.4.38 / NGINX
PHP Version7.4.16

Users monitoring this issue

User List DenisChenu

Activities

jpl166

jpl166

2021-11-10 00:07

reporter   ~67215

Digging in to the Yii framework, it appears that they pull session.gc_maxlifetime from PHP and use that as their default timeout value. Setting that to 86400 does correctly reflect in the 'expire' column in the 'lime_sessions' table. So I have a workaround.

But that still means it isn't honoring the iSessionExpirationTime value from the Web UI.

DenisChenu

DenisChenu

2021-11-15 17:16

developer   ~67333

Last edited: 2021-11-15 17:18

https://forums.limesurvey.org/forum/installation-a-update-issues/125870-survey-session-timeout#222048

https://manual.limesurvey.org/Global_settings/en#General

Session lifetime (seconds) (only available with database sessions): Defines the time in seconds after which a survey session expires (provided there is no action from the participant). When using regular, file-based sessions, it is up to the system administrator to define the right values for 'session.gc_maxlifetime', 'session.save_path', etc., in the PHP configuration. Not only the web server settings but also the other similar settings of other applications may overwrite the setting for file-based sessions when editing it locally via the application. The maximum value that can be introduced is 65000 (seconds). It is recommendable to use a reasonable value. Bear in mind that, when using database sessions, check whether the MySQL setting called max_allowed_packet is set to a large value because some surveys generate over 2 MB of session data

Mazi

Mazi

2021-11-17 09:47

updater   ~67384

Since session timeouts are a known problem, would it be easily possible to add a short note like "Your current session timeout is set to XXX seconds."? That way a user directly knows what the value used is and can double check if their adjsutments are taken into account.
This would be a really nice improvement since people are often having problems finding the currect setting or file to adjust the timeout details.

DenisChenu

DenisChenu

2021-11-17 10:16

developer   ~67390

Not related here : DB session issue.

You can report file session information as a feature request maybe ?

Mazi

Mazi

2021-11-17 12:28

updater   ~67397

Done: https://bugs.limesurvey.org/view.php?id=17727

jpl166

jpl166

2021-12-13 17:43

reporter   ~67779

I have upgraded to 3.27.29+211214 and the behavior has not changed. I didn't think it would (I diff'd the source trees) but I figured it was worth getting to current while I had an opportunity.

gabrieljenik

gabrieljenik

2022-04-21 17:20

manager   ~69175

As per the comments, I think this can closed, right?.
Please add any comments in case it should be reopened.
Thanks

jpl166

jpl166

2022-05-10 23:22

reporter   ~69559

Well, I have a workaround, but the underlying bug is still there. If you set your expiration time using the WebUI, it doesn't work. There doesn't seem to be any attempt in the code to take the value set and pass it to the Yii framework at all, so the implementation of the expiration time in the WebUI only did half the job.

DenisChenu

DenisChenu

2022-05-11 07:52

developer   ~69562

Well, I have a workaround, but the underlying bug is still there. If you set your expiration time using the WebUI, it doesn't work. There doesn't seem to be any attempt in the code to take the value set and pass it to the Yii framework at all, so the implementation of the expiration time in the WebUI only did half the job.

You didn't see expiration time in GUI by default, It must be set to DB session. We hide it after make the decision to move it to only DB.

If it show : it's an issue

jpl166

jpl166

2022-05-11 14:59

reporter   ~69578

This entire issue is around database sessions. I switched to database sessions because they're actually reliable at session duration, where PHP sessions include a heap of randomness that annoys users. Once I switched, the session lifetime box appeared in the General tab of the Web UI, but no matter what you set it to it doesn't work. That value is not applied to the Yii framework at all. I specifically have it set to a value dramatically different from what I put in to my workaround (php.ini) so that if it were to take effect I would notice it without even checking in the DB by hand. ALSO, setting the value in the config.php for iSessionExpirationTime does not work, once again the value is not being passed to the Yii framework.

https://manual.limesurvey.org/Optional_settings#Resources makes it clear that this setting should work in the scenario I'm living in.

It's been a while since I did the digging to see how to pass this to the Yii framework so I'm a little rusty on the details, but when you instantiate a new sessions there's a way to pass in the preferred session lifetime. It's just not being done at all. So the framework is taking its default value and using that.

DenisChenu

DenisChenu

2022-05-11 15:52

developer   ~69583

This entire issue is around database sessions. I switched to database sessions because they're actually reliable at session duration, where PHP sessions include a heap of randomness that annoys users. Once I switched, the session lifetime box appeared in the General tab of the Web UI, but no matter what you set it to it doesn't work.

It must work, if ,not it's an issue

That value is not applied to the Yii framework at all.

It's not related to Yii session or PHP.ini shown anymore, the only way to test is to set a ridiculous time on PHP.ini (default session) and a bigger one in GUI.

I reopen.

DenisChenu

DenisChenu

2022-05-11 16:56

developer   ~69585

Confirmed :
PHP settings : session.cookie_lifetime + session.gc_maxlifetime to 60,
Set session to DB : unconnect, log again etc …

No change : 60 seconds : timeout …

DenisChenu

DenisChenu

2022-05-11 17:07

developer   ~69586

PS : you can update the default lifetime via cookieParams
https://manual.limesurvey.org/Optional_settings/en#Other_sessions_update

DenisChenu

DenisChenu

2022-05-11 18:45

developer   ~69594

https://github.com/LimeSurvey/LimeSurvey/pull/2415

Don't replace existing lifetime if it's set in config.php

DenisChenu

DenisChenu

2022-05-13 17:24

developer   ~69633

https://github.com/LimeSurvey/LimeSurvey/pull/2416

DenisChenu

DenisChenu

2022-05-19 20:58

developer   ~69884

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33510

LimeBot

LimeBot

2022-05-23 11:30

administrator   ~69978

Fixed in Release 5.3.16+220523

Related Changesets

LimeSurvey: 3.x-LTS 8fd619d8

2022-05-19 20:58:11

DenisChenu


Committer: GitHub Details Diff
Fixed issue 17709: GUI setting for DB session lifetime does not apply (#2415) Affected Issues
17709
mod - application/core/LSYii_Application.php Diff File
mod - application/core/web/DbHttpSession.php Diff File

LimeSurvey: master cc497d93

2022-05-19 20:58:34

DenisChenu


Committer: GitHub Details Diff
Fixed issue 17709: GUI setting for DB session lifetime does not apply (#2416)

Dev: use iSessionExpirationTime only after load DB
Affected Issues
17709
mod - application/core/LSYii_Application.php Diff File

Issue History

Date Modified Username Field Change
2021-11-09 16:20 jpl166 New Issue
2021-11-10 00:07 jpl166 Note Added: 67215
2021-11-10 00:07 jpl166 Bug heat 0 => 2
2021-11-15 17:16 DenisChenu Note Added: 67333
2021-11-15 17:16 DenisChenu Bug heat 2 => 4
2021-11-15 17:18 DenisChenu Note Edited: 67333
2021-11-17 09:47 Mazi Note Added: 67384
2021-11-17 09:47 Mazi Bug heat 4 => 6
2021-11-17 10:16 DenisChenu Note Added: 67390
2021-11-17 10:17 DenisChenu Issue Monitored: DenisChenu
2021-11-17 10:17 DenisChenu Bug heat 6 => 8
2021-11-17 12:28 Mazi Note Added: 67397
2021-12-13 17:43 jpl166 Note Added: 67779
2022-04-21 17:20 gabrieljenik Assigned To => gabrieljenik
2022-04-21 17:20 gabrieljenik Status new => closed
2022-04-21 17:20 gabrieljenik Resolution open => no change required
2022-04-21 17:20 gabrieljenik Note Added: 69175
2022-04-21 17:20 gabrieljenik Bug heat 8 => 10
2022-05-10 23:22 jpl166 Note Added: 69559
2022-05-11 07:52 DenisChenu Note Added: 69562
2022-05-11 14:59 jpl166 Note Added: 69578
2022-05-11 15:52 DenisChenu Note Added: 69583
2022-05-11 15:52 DenisChenu Assigned To gabrieljenik => DenisChenu
2022-05-11 15:52 DenisChenu Status closed => feedback
2022-05-11 15:52 DenisChenu Resolution no change required => reopened
2022-05-11 16:56 DenisChenu Status feedback => confirmed
2022-05-11 16:56 DenisChenu Note Added: 69585
2022-05-11 16:57 DenisChenu Complete LimeSurvey version number (& build) 3.27.6 build 210629 => 3.27.6 build 210629 / 3.28.9
2022-05-11 16:57 DenisChenu Browser => firefox 100.0
2022-05-11 16:57 DenisChenu Webserver software & version (if known) Apache 2.4.38 => Apache 2.4.38 / NGINX
2022-05-11 17:07 DenisChenu Note Added: 69586
2022-05-11 18:45 DenisChenu Note Added: 69594
2022-05-13 17:24 DenisChenu Note Added: 69633
2022-05-13 17:24 DenisChenu Status confirmed => review
2022-05-13 17:24 DenisChenu Complete LimeSurvey version number (& build) 3.27.6 build 210629 / 3.28.9 => 3.27.6 build 210629 / 3.28.9 /5.3.13
2022-05-19 20:58 DenisChenu Changeset attached => LimeSurvey master cc497d93
2022-05-19 20:58 DenisChenu Changeset attached => LimeSurvey 3.x-LTS 8fd619d8
2022-05-19 20:58 DenisChenu Note Added: 69884
2022-05-19 20:58 DenisChenu Resolution reopened => fixed
2022-05-19 21:00 c_schmitz Status review => resolved
2022-05-23 11:30 LimeBot Note Added: 69978
2022-05-23 11:30 LimeBot Status resolved => closed
2022-05-23 11:30 LimeBot Bug heat 10 => 12