I'm new to Mantis and would like to know where I would go about changing the session timeout period or how to disable. I read somewhere I should set it to -1 but I cannot find the php file to edit!
Please help!
Regards
Change session timeout value?
Moderators: Developer, Contributor
Change session timeout value?
Hi,
I'm new to Mantis and would like to know where I would go about changing the session timeout period or how to disable. I read somewhere I should set it to -1 but I cannot find the php file to edit!
Please help!
Regards
I'm new to Mantis and would like to know where I would go about changing the session timeout period or how to disable. I read somewhere I should set it to -1 but I cannot find the php file to edit!
Please help!
Regards
Hi metroid and anyone else,
I hope i am not too late to answer your question. I had the very same problem using Mantis 1.0.8. After inspecting the code I finally reached the conclusion that setting the session timeout value is not possible (in Mantis 1.0.8 which is the only version I have installed and read any code of).
In fact, it seems to me that Mantis 1.0.8 does not use sessions at all.
Though I will not guarantee the correctness of the following information, here is what I think how Mantis handles "Sessions":
A user will have direct access (i.e. not have to log on) if he has a cookie on his/her machine from the server he wants Mantis to access on named "MANTIS_STRING_COOKIE" containing a 64-digit hexadecimal value which matches on of the values in the cookie_string column of the mantis_user_table.
Each user account has a cookie string which is unique (see the following functions for that: user_create (in user_api.php) calls auth_generate_unique_cookie_string() (in authentication_api.php). The cookie string is also fixed, i.e. given a fixed account it will always be the same, especially for different sessions. As the cookie_string, acting as some kind of session ID, is always the same (for one account), hijacking this "session" is rather easy: just get hold of the cookie at any given time of the lifespan of the corresponding account.
I might be wrong, but both code and behaviour made this impression to me and I personally found this handling of "sessions" a security nightmare. (And, I was very astonished by that, since other security-related questions (like validating user input) are handled extremely nicely by Mantis (generally a great software!).
I am out of time for today but will explain tomorrow how I tackled this problem. It is not too hard.
Kind regards,
John
I hope i am not too late to answer your question. I had the very same problem using Mantis 1.0.8. After inspecting the code I finally reached the conclusion that setting the session timeout value is not possible (in Mantis 1.0.8 which is the only version I have installed and read any code of).
In fact, it seems to me that Mantis 1.0.8 does not use sessions at all.
Though I will not guarantee the correctness of the following information, here is what I think how Mantis handles "Sessions":
A user will have direct access (i.e. not have to log on) if he has a cookie on his/her machine from the server he wants Mantis to access on named "MANTIS_STRING_COOKIE" containing a 64-digit hexadecimal value which matches on of the values in the cookie_string column of the mantis_user_table.
Each user account has a cookie string which is unique (see the following functions for that: user_create (in user_api.php) calls auth_generate_unique_cookie_string() (in authentication_api.php). The cookie string is also fixed, i.e. given a fixed account it will always be the same, especially for different sessions. As the cookie_string, acting as some kind of session ID, is always the same (for one account), hijacking this "session" is rather easy: just get hold of the cookie at any given time of the lifespan of the corresponding account.
I might be wrong, but both code and behaviour made this impression to me and I personally found this handling of "sessions" a security nightmare. (And, I was very astonished by that, since other security-related questions (like validating user input) are handled extremely nicely by Mantis (generally a great software!).
I am out of time for today but will explain tomorrow how I tackled this problem. It is not too hard.
Kind regards,
John
Ok, here is what I did to alleviate this problem (and also implement some kind of session timeout):
1. I added a new attribute to the mantis_user_table called "logged_in"
2. Every log-in set the value of that attribute to 1 (for that user), every log-out sets it to 0.
3. Add a check to the corresponding function that check whether a user is authenticated (e.g. auth_ensure_user_authenticated() ) for the flag logged_in. Now, a user not only needs a cookie with the correct cookie_string but also must have his/her flag logged_in set to 1 in order to qualify as being logged in.
4. Also, every time a user is logged out, his/her cookie_string attribute get newly calculated and updated in the database. (Remember: the major weakness was that the cookie_string is fixed!).
5. Now due to the logged_in flag we know exactly who is logged on and who isn't (this is more precise than the function user_get_logged_in_user_ids( ) in the user_api.php who returns an array of user ids of those user's who have the last_visit timestamp set to a value not earlier than a specified time.
So we write a function that simply logs out every user whose logged_in flag is set but whose last_visit value indicates prolonged inactivity. As mentioned earlier, logging out means setting their logged_in flag to 0 and recalculating their cookie_string.
6. Unfortunately PHP is bad regarding cronjobs. But we can simply write a script that calls the function "log_out_idle_users()" and configure Apache to create an http-request calling this script every x minutes. At the moment I a doing the last step (6) and hope to finish soon. Everything else works fine and in my opinion integrates nicely with the existing Mantis code.
The steps mentioned above may not be perfect. In fact, using "real" sessions is quite simple in PHP, but Mantis 1.0.8 simply does not do that. Of course one could change that, but I found the way consisting of the abovementioned steps less invasive.
I hope this helps.
Kind regards,
John D.
1. I added a new attribute to the mantis_user_table called "logged_in"
2. Every log-in set the value of that attribute to 1 (for that user), every log-out sets it to 0.
3. Add a check to the corresponding function that check whether a user is authenticated (e.g. auth_ensure_user_authenticated() ) for the flag logged_in. Now, a user not only needs a cookie with the correct cookie_string but also must have his/her flag logged_in set to 1 in order to qualify as being logged in.
4. Also, every time a user is logged out, his/her cookie_string attribute get newly calculated and updated in the database. (Remember: the major weakness was that the cookie_string is fixed!).
5. Now due to the logged_in flag we know exactly who is logged on and who isn't (this is more precise than the function user_get_logged_in_user_ids( ) in the user_api.php who returns an array of user ids of those user's who have the last_visit timestamp set to a value not earlier than a specified time.
So we write a function that simply logs out every user whose logged_in flag is set but whose last_visit value indicates prolonged inactivity. As mentioned earlier, logging out means setting their logged_in flag to 0 and recalculating their cookie_string.
6. Unfortunately PHP is bad regarding cronjobs. But we can simply write a script that calls the function "log_out_idle_users()" and configure Apache to create an http-request calling this script every x minutes. At the moment I a doing the last step (6) and hope to finish soon. Everything else works fine and in my opinion integrates nicely with the existing Mantis code.
The steps mentioned above may not be perfect. In fact, using "real" sessions is quite simple in PHP, but Mantis 1.0.8 simply does not do that. Of course one could change that, but I found the way consisting of the abovementioned steps less invasive.
I hope this helps.
Kind regards,
John D.
Thanks for the info John D. Unfortunately you went 32 miles over my head 
I just managed to get Mantis 1.0.8 installed on XP successfully which was a mission in itself...
I thought it would just be a matter of changing an ini file or config setting somewhere
Its such a pity there is such a lack of support from the authors or experts on such matters. I appreciate the time and effort you took to write down your solution. Hopefully someone can make use of your info if I dont! Maybe I've i'm felling brave one morning I will attempt messing with php 
Many thanks
I just managed to get Mantis 1.0.8 installed on XP successfully which was a mission in itself...I thought it would just be a matter of changing an ini file or config setting somewhere
Its such a pity there is such a lack of support from the authors or experts on such matters. I appreciate the time and effort you took to write down your solution. Hopefully someone can make use of your info if I dont! Maybe I've i'm felling brave one morning I will attempt messing with php Many thanks
Re: Change session timeout value?
Hi,
I´m using the version 1.1.1, and I have the same problem.
The session expires before I complete all tasks.
This trouble only occurs when logged as Administrator!
I can work around the problem simply by hitting the "back" browser button, but I´d like to have a concrete way to solve this problem.
I´m not master on PHP, so I won´t do that things that our friend explained =/
Are there any other way on Mantis 1.1.1?
Thank you,
HUN73R
I´m using the version 1.1.1, and I have the same problem.
The session expires before I complete all tasks.
This trouble only occurs when logged as Administrator!
I can work around the problem simply by hitting the "back" browser button, but I´d like to have a concrete way to solve this problem.
I´m not master on PHP, so I won´t do that things that our friend explained =/
Are there any other way on Mantis 1.1.1?
Thank you,
HUN73R
-
karthik085
- Posts: 10
- Joined: 27 Sep 2007, 04:59
Re: Change session timeout value?
Hi,
Can this be set in new stable mantis version? What about development one which I believe is 1.2.0 a3 now. Any suggestions are appreciated. The above ones seems to be very bad way of getting it to work.
Thanks.
Can this be set in new stable mantis version? What about development one which I believe is 1.2.0 a3 now. Any suggestions are appreciated. The above ones seems to be very bad way of getting it to work.
Thanks.
Re: Change session timeout value?
Hi
File core\constant_inc.php contains the following:-
TOKEN_EXPIRY_AUTHENTICATED is used to control the timout period for the administrator.
TOKEN_EXPIRY is the default expiry time for cookies.
I'm not sure if this will alter user session timeouts, but it might work
Nick
File core\constant_inc.php contains the following:-
Code: Select all
# token expirations
define( 'TOKEN_EXPIRY', 60*60 ); # Default expiration of 60 minutes ( 3600 seconds )
define( 'TOKEN_EXPIRY_LAST_VISITED', 24*60*60 );
define( 'TOKEN_EXPIRY_AUTHENTICATED', 5*60 );
TOKEN_EXPIRY is the default expiry time for cookies.
I'm not sure if this will alter user session timeouts, but it might work
Nick
Re: Change session timeout value?
The offical way is to change you configuration file (surprise 
Make sure you have a line in config_inc.php like
$g_reauthentication_expiry = 10*60;
This is for example 10 x 60 seconds for admin to need re-login
Make sure you have a line in config_inc.php like
$g_reauthentication_expiry = 10*60;
This is for example 10 x 60 seconds for admin to need re-login