-
Bug
-
Resolution: Fixed
-
Major
-
3.0.6, 3.1.2, 3.2
-
MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
-
MOODLE_31_STABLE
-
The redis session handler doesn't use the sessiontimeout config setting to determine session lifetime within redis itself.
It has a lock expiry, which is set to 7200 (or a config setting) that is used to determine how long a lock is held onto, but that should be distinct from the session timeout.
What ends up happening is it relies on the session_cleanup_task to remove old sessions that exceed the sessiontimeout. If the moodle cron is misconfigured, or failing for reasons unknown, the sessions will last for the default 7200 seconds.
My proposed fix has the timeout for the session set to sessiontimeout so it doesnt rely on the cleanup task removing it and also makes it possible to have a lockexpiry lower than the session timeout if desired to let admins set a low-ish lock expiry (compared to the session lifetime) to be able to handle the occasional lock that isn't released properly (which should be partialy addressed by MDL-55953).