Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello all -
In testing my app (Laravel 5.1/file-based session), I just realized that when a user logged in, logged out and then a new user signed up/logged in, the new user was inheriting some of the session data leftover from the signed-out user. Basically, a new session ID was created but the new user's session took on the token from the previous user and any legacy session data that was stored.
I found a stackoverflow question from a user who experienced the same problem. As a result of that discussion (and some others I found online), I wrote a getLogout() to overwrite the native method, calling Session::flush() just before logging the user out, flushing the data my app inserts into session and the user's token.
The flush() fix works for users who actively choose to log out. A lingering concern though is, what if a user simply abandons their browser (something also mentioned by the stackoverflow user). What happens to the session file then? What happens when a new user logs in after a session expires? In an effort to test if this is indeed a potential loophole, I went into the config/session.php file and changed the session lifetime from the default of 120 minutes to 1 minute. However, my app doesn't seem to be recognizing the updated lifetime. I tried changing 'encrypt' to true instead of false - immediately that was recognized, so my app is definitely processing the data in the session.php file and I know it has timed out before (presumably at the 120 minute mark).
I don't want to leave the lifetime at 1 minute in the long run - I just want to do some testing to see what happens when a session expires - but I don't want to wait 2 hours between tests. Any suggestions as to why the 1-minute expiry time isn't working?
On a separate but related note - I would like to understand when and how session files are destroyed? Can I force a delete? How do you make sure that your session folder doesn't become bloated with outdated session files? Perhaps this is automatically taken care of somehow? If so, I would be keen to understand how.
One of the possible solutions it seems (if the abandoned browser situation does generate a similar problem of data transference between users) is to run a Session::flush() on both the login page and the signup page, to ensure unique session data for the user signing up/in but I wonder though if this will cause a token mismatch exception?
Many thanks for any help/advice/insight anyone is able to offer!
Wooa, long question!!! Do you use remember me feature? If yes, setting a timeout will have(IMO) no affect.
I would like to understand when and how session files are destroyed?
Threre's an option called lottery, basically responsible for clearing old session data.
the new user was inheriting some of the session data leftover from the signed-out user
Yes i do see that, PR is required to fix that.
@premsaurav Thanks for taking a stab at my questions! I know - a lot!
I have indeed set up the 'remember me' feature but I am running my tests without ticking that box. Just to be sure though, after reading your question, I double checked my database and all of my fake 'users' have a remember_token of NULL... What I find curious is that my sessions have expired in the past (when I get up and leave my computer and come back a while later) so it does seem to be working in some form - up until now I just assumed it was the 120 minute default kicking in.
@mpmurph I am able to change the session timeout by changing lifetime. Not sure why it isn't working for you
@premsaurav I think I've realized why the 1 minute lifetime wasn't working!
At first, I thought it might have to with the statistics/probability of garbage collection after I read @spekkionu's comments in response to this question. Following that lead really helped me to understand a bit more about what is going on with Session under the hood. In doing further research along this path, I came across this article which helped me understand too why the inheritance of data was happening before I implemented Session::flush().
Ultimately, however, I discovered that this - even though it refers to Laravel 4 and I am working with Laravel 5.1 - seems to be the reason I could not get my 1 minute lifetime to work: I had also set 'expire_on_close' to true which apparently causes Laravel to ignore the 'lifetime' variable. Once I set 'expire_on_close' to false, I got the the 1 minute lifetime to work!
Now to figure out if data transference happens when a session times out and whether Session::flush() is needed on login/sign-up.
Please or to participate in this conversation.