PHP Session settings ignored?

I just read an extremely interesting post which explains an unwanted side effect of garbage collection by some Debian based systems. This cleanup process causes (maybe amongst other things) sessions to be cleared every 24 minutes, regardless of any ini setting you have set after the php.ini file is parsed (for example using ini_set() – if you are a symfony user, this is done during initialisation based on a setting in your factories.yml file).

Check it out:

Symfony security, sessions not cleared when logging out

I’m not sure if this will be covered in 1.1 (maybe someone can shed some light on it?) but currently when you logout using sfGuardAuth standard functionality, the session is not cleared/destroyed.

This only came to light recently, when I was scratching my head over why a parameter I had set was still available in the $sf_params array even after logging out, and logging back in again as a different user. This threw up an interesting security issue, because I started to wonder if I’d set any admin specific parameters elsewhere which could be reused by another user on the same machine.

The fix is fairly straightforward, but can only be run when not in test mode, because sfBrowser does not like the session to be destroyed! Maybe this is why it has never been written into the core functionality?

In apps/yourapp/modules/sfGuardAuth/actions/actions.class.php

 public function executeSignout()
     if (sfConfig::get('sf_environment') != 'test')

Adding the parent::executeSignout() line means that you can let the sfGuard plugin do the remainder of the work for you, so rather than overriding the function, you are just adding a bit to the start of it.