PK98252: The new use of PHP sessions has the potential of logging users o ff erroneously

IBM Rational Build Forge Fix Pack 3 for Version 7.1.1 (7.1.1.3)

APAR status

• Closed as program error.

Error description

• The new use of PHP sessions has the potential of logging users o
  ff erroneously
  
  The following scenario is being experienced by end users:
  -Autologoff is set to 0
  -The view build logs and step away from hte UI for a while - whi
  le leaving the browser open
  -Return to the computer - typically after 30 minutes of idleness
   - and are required to log back into BF again
  
  In all cases the bf_sessions table holds good data, and no error
   is thrown in the catalina.out log denoting a bad bf_session.
  
  The root cause is as follows:
  The new PHP sessions introduced in BF 7.1 have a garbage collect
  or which goes in and removes old sessions. The settings:
  session.gc_probability = 1
  session.gc_divisor     = 1000
  session.gc_maxlifetime = 1440
  
  control this behavior. This means all sessions will only be viab
  le within PHP for 24 minutes, not unlimited as setting auto logo
  ff to 0 promotes.
  
  To reproduce:
  Set the above three settings to:
  session.gc_probability = 1
  session.gc_divisor     = 1
  session.gc_maxlifetime = 10
  
  This will force garbage collection on each page click.
  
  Log in and wait for 15 seconds. Once the time has passed click o
  n any link.
  
  Result:
  You are presented with the log in page
  
  Expected result:
  You would not be logged off
  
  This is a two part defect:
  
  1) We need to reset the session times on the session files each
  and every time a user performs any actions. The garbage collecti
  on is performed based on these times. I have only found session_
  start() is able to actually reset these times for users based on
   my reading.
  
  2) Document the three options above and how they impact users of
   Build Forge regardless of what the auto logoff is set to
  
  Workaround:
  The main workaround for this is to set the session.gc_maxlifetim
  e to a larger number than 1440, or 24 minutes. This is in second
  s format. Be aware that setting this too high can cause a large
  number of files to build up in the $BF_HOME/temp directory and m
  ay need to be priodically cleaned out.
  

Local fix

Problem summary

• Users' sessions  were being invalidated by php instead of
  BF, so users would have to login after 24 minutes, instead
  of whatever time they product was configured.
  

Problem conclusion

• updated the default php session timeout, which was set to 24
  minutes.  Set this to 24 hours, so users will still be
  logged off by php after 24 hours of idle time, but at least
  within the course of any given week, they should remain
  logged in as long as they use the product once a day.
  
  If this value needs to be increased, admins can change the
  value of session.gc_maxlifetime (in php.ini) to something
  higher than it is now. Unfortunately, php does not have a
  setting for "never time out".
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUILD FORGE EE

• Fixed component ID

  5724S2702

Applicable component levels

• R710 PSN

     UP