Auth session question

you can set in config/session - 'lifetime' => 60,

@robgoodliffe I have the default of 120 minutes set in my config - thanks for tip I will bring this down. However it still doesn't explain why a user was still logged in more than 24 hours later? Cheers.

@Dan the session timeout handling in Laravel is flawed. Take a look at this issue and what I've described here. In fact Laravel doesn't really have a session timeout handling but just a pretty poorly implemented session garbage collection.

If you want to have a reliable timeout of your sessions then you cannot use anything else but a cache based session driver, i.e. either Redis or memcached.

Just setting the lifetime session config option won't lead to the desired results if you e.g. use the file or database driver.

@wiedem Hi, thanks so much for the reply - very interesting to hear. We are actually using the memcached driver, are you saying that this should or shouldn't work better? Do you have any advice or workarounds? Cheers.

Using memcache (or Redis) as a session driver is the only way you get reliable session timeouts in Laravel.

So if you set the session timeout to let's say 30 minutes via 'lifetime' => 30 a user session is guaranteed to become invalid after this time. To be more specific, a user session will be entirely gone on the server side after this time if it is not renewed by the StartSession middleware because memcached will automatically delete this data.

You should note that AJAX calls on your site may extend the lifetime of a session.

Just a small optimization advice btw.: you can set the GC lottery to 0% lottery' => [0, 100] since it doesn't have any effect on cache based session drivers anyways.