MDL-56129 core: Set a timeout on the session cookie

[moodle.git] / lib / classes / session / manager.php

diff --git a/lib/classes/session/manager.php b/lib/classes/session/manager.php
index 4d0386b..c75e12b 100644 (file)
--- a/lib/classes/session/manager.php
+++ b/lib/classes/session/manager.php
@@ -252,7 +252,12 @@ class manager {
 
         // Set configuration.
         session_name($sessionname);
 
         // Set configuration.
         session_name($sessionname);

-        session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly);
+        // The session cookie expiry time cannot be extended so this needs to be set to a reasonable period, longer than
+        // the sessiontimeout.
+        // This ensures that the cookie is unlikely to timeout before the session does.
+        $sessionlifetime = $CFG->sessiontimeout + WEEKSECS;
+        session_set_cookie_params($sessionlifetime, $CFG->sessioncookiepath, $CFG->sessioncookiedomain,
+                $cookiesecure, $CFG->cookiehttponly);

         ini_set('session.use_trans_sid', '0');
         ini_set('session.use_only_cookies', '1');
         ini_set('session.hash_function', '0');        // For now MD5 - we do not have room for sha-1 in sessions table.
         ini_set('session.use_trans_sid', '0');
         ini_set('session.use_only_cookies', '1');
         ini_set('session.hash_function', '0');        // For now MD5 - we do not have room for sha-1 in sessions table.