Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56823

Sessions: redis sessions don't honour $CFG->sessiontimeout

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6, 3.1.2, 3.2
    • Fix Version/s: 3.1.4
    • Component/s: Libraries
    • Labels:
    • Testing Instructions:
      Hide

      You are required to have a Redis server running and configured to work with your web server in order to perform this test.

      For Ubuntu that is simply,

      apt-get install php5-redis redis-server
      service apache2 restart

      Ensure that lib/classes/session/redis.php exists.

      Edit config.php and add the following:

      $CFG->session_handler_class = '\core\session\redis';
      $CFG->session_redis_host = '127.0.0.1';

      Navigate to admin/phpinfo.php then scroll down to the session block and check the following local values,

      session.save_handler = user
      session.save_path = no value

      You can use terminal command $ redis-cli monitor to double-check that redis is really used.

      Without cron running
      Set $CFG->sessiontimeout to something low, say 120 (2 minutes).
      Login to moodle
      Wait more than 2 minutes.
      Refresh the page
      You should be logged out.

      Testing distinction between lock expiry and session expiry:
      Set $CFG->session_redis_lock_expire to something low, say 120 (2 minutes).
      Set $CFG->sessiontimeout to 7200 (2 hours).
      Login to moodle
      Wait more than 2 minutes.
      Refresh the page
      You should not be logged out.

      Show
      You are required to have a Redis server running and configured to work with your web server in order to perform this test. For Ubuntu that is simply, apt-get install php5-redis redis-server service apache2 restart Ensure that lib/classes/session/redis.php exists. Edit config.php and add the following: $CFG->session_handler_class = '\core\session\redis'; $CFG->session_redis_host = '127.0.0.1'; Navigate to admin/phpinfo.php then scroll down to the session block and check the following local values, session.save_handler = user session.save_path = no value You can use terminal command $ redis-cli monitor to double-check that redis is really used. Without cron running Set $CFG->sessiontimeout to something low, say 120 (2 minutes). Login to moodle Wait more than 2 minutes. Refresh the page You should be logged out. Testing distinction between lock expiry and session expiry: Set $CFG->session_redis_lock_expire to something low, say 120 (2 minutes). Set $CFG->sessiontimeout to 7200 (2 hours). Login to moodle Wait more than 2 minutes. Refresh the page You should not be logged out.
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:

      Description

      The redis session handler doesn't use the sessiontimeout config setting to determine session lifetime within redis itself.

      It has a lock expiry, which is set to 7200 (or a config setting) that is used to determine how long a lock is held onto, but that should be distinct from the session timeout.

      What ends up happening is it relies on the session_cleanup_task to remove old sessions that exceed the sessiontimeout. If the moodle cron is misconfigured, or failing for reasons unknown, the sessions will last for the default 7200 seconds.

      My proposed fix has the timeout for the session set to sessiontimeout so it doesnt rely on the cleanup task removing it and also makes it possible to have a lockexpiry lower than the session timeout if desired to let admins set a low-ish lock expiry (compared to the session lifetime) to be able to handle the occasional lock that isn't released properly (which should be partialy addressed by MDL-55953).

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  9/Jan/17