Sessions
Sessions are used to store information across page requests a user makes. Sessions are used by Jadu to remember:
- whether a user is logged in
- which user they are
- information to show to a user such as error messages
The application handles starting and ending sessions appropriately, and implements security to prevent sessions being hijacked.
Session length and timeout
The maximum session lifetime is defined by the PHP configuration value session.gc_maxlifetime, which defaults to 24 minutes.
Sessions are further limited from the maximum value by Jadu.
The Control Center session length defaults to 15 minutes, and is defined by the value of session_expiry_time in constants.xml.
If you are using the Photon template system, the session length is controlled by Symfony session configuration of the "frontend" Symfony app.
Form timeout
By default users are given 10 minutes to complete each form page once they have started a form. If the user doesn't complete the page within the timeout period they are shown a message informing them that their session has timed out when they try to proceed through the form
Forms are considered started after the first page of questions have been answered.
It is possible to change the default timeout. To change the timeout length, edit /config/xfp/constants.xml and change the value of xforms_session_timeout to a suitable number of minutes. After saving the changes you will need to clear the config cache.
<xforms_session_timeout>10</xforms_session_timeout>
The value of <xforms_session_timeout> must be less than the php.ini value for session.gc_maxlifetime, failing to update the session.gc_maxlifetime value will give a different error message to the user:
Storage
Jadu support storing PHP session files in one of three locations:
- on the file system
- in memory, for example using Memcached or Redis
- in the database
For single server sites, storing session files on the file system (the PHP default) is generally fine.
However, when multiple servers are deployed it is desirable for a user to have their session maintained regardless of the server that they access.
This can be achieved by storing sessions in the database or in memory.
We do not recommend using Destination Address Affinity Persistence (often referred to as sticky sessions).
Regeneration and expiry
Sessions are regenerated when:
- last regeneration time is in the past
Sessions are destroyed when:
- the expiry time is not set
- the expiry time is in the past
- the browser fingerprint has changed
- an existing session is present, but it is not initiated or has no browser fingerprint data
Session configuration
The following php.ini values are overridden by Jadu Central when creating sessions.
| Parameter | Value |
|---|---|
| session.cookie_httponly | true |
| session.cookie_secure | true when FORCE_SECURE and SSL_ENABLED are true |
| session.hash_function | sha256 |
| session.hash_bits_per_character | 5 |
| session.name | Set to random string on install |