Session expiry time

The $_configuration['session_lifetime'] setting in configuration.php is supposed to define how long a user can remain connected without being active in Chamilo. However, this setting is not enough by itself.

The 'session_lifetime' only works at the PHP level, when loading a page and going through global.inc.php. The call to ChamiloSession::start($alreadyInstalled); starts a process which ends by checking if the session has expired (based on a session variable called starttime and the expiration time coming from the aforementionned session_lifetime).

The starttime in the session is updated at every call of ChamiloSession::start(), so the PHP part is straightforward and seems to work. But issues arise when the PHP configuration enters into play.

For example, if the session.cookie_lifetime setting in php.ini (or the vhost config) is not set to 0, then the cookie might expire before the session expires, resulting in a loss of session anyway.

The name of the cookie itself is set in ChamiloSession::start(), in the session_name(self::NAME); call, as "ch_sid".

The expiry of the cookie is mainly set by session.cookie_lifetime. If 0, it's deleted when closing the tab/window. If it's anything else, then the cookie expires after that amount of seconds.

So it's essential that cookie_lifetime be 0 or at least what can be found in $_configuration['session_lifetime'], otherwise this setting is useless.