Laravel cookie session lifetime

Solution 1

Actually when you are setting the value like this in a Controller:

$lifetime = time() + 60 * 60 * 24 * 365;// one year
Config::set('session.lifetime', $lifetime);

It's not updating the value in the file, instead it sets it for the current request only (in memory) and when you check the value using this from another Controller/Request like this:

Config::get('session.lifetime');

You are getting the value from the original value from file system. It's mentioned in the documentation as given below:

Configuration values that are set at run-time are only set for the current request, and will not be carried over to subsequent requests.

Solution 2

Since it seems to be OK to use cookies as the session driver in your case, you could set the session lifetime to one year in /app/config/session.php by default and store the expiration date of the cookie along with the token in the session. That would allow you to control artificially the validity of the cookie.

Basically, your signin method could look like this:

public function signin() {

    /**
     * Code for getting *client_code* and *client_state* from API server
     */

    $access_token = $this->provider->getAccessToken('authorization_code', $form_data);

    // $access_token is object and contain all data (access_token, refresh_token, expires)
    Session::put('access_token', $access_token);
    Session::put('refresh_token', $access_token->refreshToken);
    Session::put('token_expires', $access_token->expires);

    if (Input::has('rememberMe')) {
       $expires = time() + 60 * 60 * 24 * 365; // one year
    } else {
       $expires = time() + 60 * 60 * 2; // two hours
    }

    Session::put('cookie_expires', $expires);

    return Response....

}

Then, any time you want to use the access_token, you would check that cookie_expires isn't past first (and if it is, redirect the user to the login page after clearing the session, for example).

Solution 3

I have no idea where the Session::put('expires', $lifetime); will be used. To me, it seems like a normal cookie variable, not actual lifetime associated with any cookie.

You will need to set the cookie lifetime before your cookies are set, and do it the way that Laravel knows you're setting a new cookie lifetime value.

public function signin() {

    $access_token = $this->provider->getAccessToken('authorization_code', $form_data);

    if (!$access_token) {
        return Response... // Respond some other way if authentication failed.
    }

    // Check rememberMe first so you can set the right session.lifetime before setting any cookies.
    if(Input::has('rememberMe')) {
       $lifetime = time() + 60 * 60 * 24 * 365; // one year
       Config::set('session.lifetime', $lifetime);
    }

    Session::put('access_token', $access_token);
    Session::put('refresh_token', $access_token->refreshToken);
    Session::put('token_expires', $access_token->expires);

    return Response....
}

I also took the chance to add if (!$access_token) { before setting the cookie since you won't always be authenticating successfully.

Author by

Kolesar

Updated on July 09, 2022