Does this even work when the value for session.gc_maxlifetime differs between the CLI PHP executable and php.ini value for the web server?

I don't know. I thought that this was the best default value, but didn't thought about different runtime configurations. Any suggestion for a better default value is welcome.

Anyway I've proposed to trigger an E_USER_WARNING when the SessionExpirationListener is built, so the user can detect the problem.

I guess using null here and determine the ini setting value at runtime then would be safer.

I'm not sure about it. If this ini option has different values for web and cli environments, it will be problematic:
if we set it at runtime, this value can vary between http requests and console commands; but if we set it at config time, the value will be read only once when the container is compiled, and the maybe the value is not the preferred one.

Anyway, ICYMI the E_USER_WARNING was removed and now the behavior is to log the problem with WARN level.

Maybe we should remove any default value and require the user to provide it.

@xabbuh I'm waiting for your final decision here:

• Set the option at config time
• Set the value at runtime setting the option to null at config time.
• Make the option required

I'll implement your preferred option and the PR will be ready for merge.

ping @xabbuh

we should make the option required (if the session_expiration key is present)

What about expiration_path? This seems more consistent with the keys under form_login, for example. And this could also be a URL, correct? It looks like you set it up that way :)

You now also need to update the required version of the symfony/security-http component in the SecurityBundle.

Shoud I add a requirement for symfony/security-http:~3.2 or should I modify the required version for symfony/security to ~3.2?

Modifying the existing requirement looks okay to me.

Could we just use the FormLoginBundle directly in the tests? Then we could remove this file and the new after_login.html.twig. That bundle already gives us a functional /profile URL, which is all we really need I think.

// Wait (add a space)

Can be removed - on the 3.4 branch, this is already updated to "symfony/security": "~3.4|~4.0",

this key needs to be added in the translation files of the Security component (at least the English file which is the reference, and then any other language for which you are able to translate it yourself)

I think you can inline that check.

I think it is cleaner with the extra method.

I agree with @xabbuh in this case

please separate the @param and @throws with an empty phpdoc line

no need for the extra method imo

I think is cleaner with the extra method.

nit pick, but use ' around the string and then "%s" inside. We almost always wrap strings in single quotes (sometimes this isn't followed, but usually when we need "\n")

Ok, so this is the trickiest part of this PR. You're effectively imitating what LogoutListener does + some of its logout handlers (e.g. SessionLogoutHandler). So then (to play devil's advocate), why not actually inject the logout handlers and use them here? We are logging the user out... so shouldn't those handlers be called? And to go further, couldn't we use the normal DefaultLogoutSuccessHandler to figure out where to take the user next?

The disadvantage to this is that you couldn't do something different based on a normal user logout versus a session expiration logout. But, is that a problem? And if it is, could we dispatch a special event (e.g. security.session_expired) in this class, before calling the logout handlers?

After 3 years, my vision is slightly different. I'll remove the $tokenStorage->setToken(null) so this listener will only detect the session expiration and optionally (enabled by default) will invalidate the session.

For me, the logout is an interactive user action and different from the session expiration case.
If you need to force the logout you could disable the session invalidation and redirect the user to the logout path. What do you think?

Hmm... so then the purpose of this listener would be to only invalidate the session after a certain amount of idle time. If that's the case... then this is kind of unrelated to security, right? This could just be a general framework feature of the session: a framework-level way to invalidate sessions that are idle. Wdyt?

@weaverryan It took me some time to review this, as the history behind this PR is too old. It is the result of an split of #12009, which was a reimplementation of #786, into #12807(this PR) and #12810, so I decided to write a recap

We have to implement 2 different things here: first, a feature to detect idle sessions, and last, to provide a default behavior once the expired session is detected.

Detecting idle sessions

It is now implemented as a firewall listener, so it can be enabled or disabled for different firewalls in the same app, but if the session is invalidated inside one firewall, it will logout from any firewall that uses the ContextListener to restore the token.

If we decide that this feature is not related to security, but to the framework, we can implement it as a kernel.request event listener that, IMO, should be executed with higher priority than the firewall one, so the user is not authenticated from an expired session. I'm not sure which component (HttpKernel?) should provide this listener.

Anyway, once the expired session is detected, I think that a new event should be dispatched (currently not implemented). Your proposed name security.session_expired it's only an option if we decide that this feature is a security concern.

Default behavior on expired sessions

For me, the best option here is to invalidate the session (should we allow not to override this?), and redirect the user to a given path that will return an accurate response depending on the given request (html, json, etc...) or to throw a SessionExpiredException in no path is defined. If we implement this feature as a kernel event listener, this behavior should be hooked to the new session_expired event.

In a previous comment you proposed to force an user logout calling the LogoutSuccessHandler and all defined LogoutHandlers, but I see two problems here:

1. In the app there could be more than one firewall, so; which logout should be executed when an expired session is detected if we decide that this option should not be implemented as a firewall listener, but as a kernel listener?
2. If we decide to execute the logout from the current firewall, (in this case the expired session listener should be a firewall listener, or has to be executed after the firewall listener), what should be done if there is no logout listener defined for the current path?

Hey @ajgarlag!

Sorry for the slow reply again :p.

After reading your reply, it seems to me that this PR indeed has nothing to do with security. We're simply implementing a framework-level "session timeout" feature. This is necessary because there's no reliable way to do this with php.ini configuration. If there were, then we would just have the user do that.

With that in mind, this 100% seems like "session" configuration. And so, it would be configured under the framework.session configuration. And I don't think ANY other configuration is necessary - no need to have expiration_url. Nope, we would simply invalidate the user's session and that's it (e.g. allow the request to continue).

IF we want to allow the user to hook into this further, then dispatching the event we discussed may make sense. I WOULD do that, then we can see what others think.

To summarize (and tell me if you disagree):

1. This is not related to security at all - implement it under the framework.session configuration. The listener would be configured in FrameworkBundle, but the listener/subscriber class itself would live in the HttpKernel component.

2. When a session "expires", simply invalidate the session and do nothing else. Well, let's also dispatch a new event, and we can see if people think it's a good idea.

if i have multiple webservers in different countries and a global session storage, i'll have timezone related session expires?

The time function returns a UNIX timestamp, which is timezone independent and the lastUsed property of the MetadataBag is computed using the time function too, so the session expires are not related to timezones.

of course, you're right. thanks.

getLastUsed will return null if session is not started