Skip to main content

Sessions

Sessions are used to store information across page requests a user makes. Sessions are used by Jadu to remember:

  • whether a user is logged in
  • which user they are
  • information to show to a user such as error messages

The application handles starting and ending sessions appropriately, and implements security to prevent sessions being hijacked.

Session length and timeout

The maximum session lifetime is defined by the PHP configuration value session.gc_maxlifetime, which defaults to 24 minutes.

Sessions are further limited from the maximum value by Jadu.

CMS sessions

The Control Center session length defaults to 15 minutes, and is defined by the value of session_expiry_time in constants.xml.

If you are using the Photon template system, the session length is controlled by Symfony session configuration of the "frontend" Symfony app.

Form timeout

By default users are given 10 minutes to complete each form page once they have started a form. If the user doesn't complete the page within the timeout period they are shown a message informing them that their session has timed out when they try to proceed through the form

Form timeout message

note

Forms are considered started after the first page of questions have been answered.

It is possible to change the default timeout. To change the timeout length, edit /config/xfp/constants.xml and change the value of xforms_session_timeout to a suitable number of minutes. After saving the changes you will need to clear the config cache.

<xforms_session_timeout>10</xforms_session_timeout>

The value of <xforms_session_timeout> must be less than the php.ini value for session.gc_maxlifetime, failing to update the session.gc_maxlifetime value will give a different error message to the user:

Form timeout message

Storage

Jadu support storing PHP session files in one of three locations:

  • on the file system
  • in memory, for example using Memcached or Redis
  • in the database

For single server sites, storing session files on the file system (the PHP default) is generally fine.

However, when multiple servers are deployed it is desirable for a user to have their session maintained regardless of the server that they access.

This can be achieved by storing sessions in the database or in memory.

note

We do not recommend using Destination Address Affinity Persistence (often referred to as sticky sessions).

Regeneration and expiry

Sessions are regenerated when:

  • last regeneration time is in the past

Sessions are destroyed when:

  • the expiry time is not set
  • the expiry time is in the past
  • the browser fingerprint has changed
  • an existing session is present, but it is not initiated or has no browser fingerprint data

Session configuration

The following php.ini values are overridden by Jadu Central when creating sessions.

ParameterValue
session.cookie_httponlytrue
session.cookie_securetrue when FORCE_SECURE and SSL_ENABLED are true
session.hash_functionsha256
session.hash_bits_per_character5
session.nameSet to random string on install