The session is not being updated.

My expectation is the opposite—the session should end.

Thank you, charlliequadros. This solution worked for me, adding this change the session is being updated in each request.
Hi cilefen, Is your session never ending?

The session should end after gc_maxlifetime. No?

As I mentioned my expectation is the opposite of yours.

Anyway, perform a git bisect on a Git working copy of Drupal core to understand which commit changed this.

Hello charlliequadros and cilefen,

After some investigation, here is my conclusion.

This change is related to the big pipe, here (https://www.drupal.org/project/drupal/issues/3414287) is the Drupal issue. So checking this, the changes between Drupal versions 10.2.7 and 10.3.0 in BigPipe were changes to implement enhance performance and security in the delivery of dynamic content on web pages. However, might be affecting how the session is managed, particularly concerning the SSESS cookie's update timing.

In Drupal 10.2.7, BigPipe handled session management by reopening the session during the rendering of placeholders and then closing it afterward. This ensured that the session's expiration time was updated as content was progressively delivered to the user. However, in Drupal 10.3.0, the changes of these pre- and post-rendering tasks may be disrupting the regular update process of the SSESS cookie.

These changes could be preventing the session from being reopened or correctly managed during placeholder rendering, leading to issues with the SSESS cookie's expiration time.

If I revert the changes made here (https://git.drupalcode.org/project/drupal/-/merge_requests/6441/diffs#6c...) in the files BigPipe.php and BigPipeResponse.php, it works as before.

Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies.

The session should never be written on every single request, we have specific logic to prevent this

See WriteSafeSessionHandler::write().

What behaviour do you get with big pipe disabled - e.g. does the session timestamp get updated there when it doesn't for big_pipe?

Testing locally with big_pipe enabled, when I first visit the site, my session timestamp gets update, then I click around a bit, and it doesn't get updated for a while, but then if I try again ~6-7 minutes later, the timestamp gets updated again. This is what I'd expect to happen.

This should be the same with or without big_pipe too - or at least that was the intention of #3414287: Avoid reading session from the database multiple times during a big pipe request.

It's possible there's a bug somewhere, but please clarify the steps to reproduce if you can - the session should be updated every few minutes, not every request.

The same topic is discussed in #2925718. But it seems, that D11 has solved the problem if session_write_interval is set correctly.

I tried to reproduce the issue with the following setup on 11.x:

• Standard install profile.
• Create a new user without admin privileges.
• Login with the new user.
• Repeatedly reload a page which triggers big pipe (e.g. /contact).

In order to make the manual testing reproducible, I choose the following options for PHP session gc and Symfony session metadata_update_threshold (the latter is called session_write_interval in Drupal and it is a setting):

In sites/default/services.yml:

parameters:
  session.storage.options:
    gc_divisor: 1
    gc_maxlifetime: 30
    gc_probability: 1

In sites/default/settings.php:

$settings['session_write_interval'] = 20;

The effect of the PHP gc_divisor: 1 and gc_probability: 1 is that gc is run on every request before any session data is read from the database. That means that any session record with a timestamp older than 30 seconds is removed at the start of ever request (except for requests answered by the page cache of course).

The effect of the metadata threshold is that a session write is enforced for sessions with a timestamp older than 20 seconds.

With this setup I can confirm that every request which hits the window between the metadata threshold (session_write_interval and the gc max lifetime will bump the effective session lifetime by 30 seconds (gc_maxlifetime). This is expected behavior.

I can confirm that a session is removed and a user is logged out when I leave a tab open for more than 30 seconds (gc_maxlifetime) before I reload the browser (though, see the caveat at the end). That is expected behavior as well.

In my opinion this issue can be closed. I believe that the behavior observed by the OP is a result of a gc_maxlifetime value lower/equal than session_write_interval. If there is no window between the two values, the session timestamp is only updated when new session data is written. In cases where a very short session lifetime is required, it is probably best to set session_write_interval=0. With that setting, sessions will be written on every request - no matter whether the session data has changed or not.

For the latter test, I discovered an interesting edge case. For the test to pass there needs to be other activity which triggers the gc in between the requests in the tab left open. If the session record is still in the database when the request starts, then the session record is removed from the database (which is expected), but it is written at the end again and as a result survives the timeout (which is unexpected).

I'm unsure whether or not this edge case needs a fix. With the probabilistic gc in use today, sites cannot rely on session records being deleted reliably after surpassing the gc max lifetime anyway.

I realized, that the OP reported something different:

In 10.2.x, the session cookie is updated if necessary on every request (not yet sure whether this is done by PHP, Symfony or Drupal).

After #3414287: Avoid reading session from the database multiple times during a big pipe request, the call to \Symfony\Component\HttpFoundation\Session\Session::save() is too late to update the session cookie on big pipe responses. Response headers are already sent when big pipe performPostSendTasks() is called. I can reproduce this behavior by adding a cookie_lifetime: 30 container parameter (and still using session_write_interval: 20).

We could maybe fix that by adding more logic to \Drupal\Core\StackMiddleware\Session::handle(). E.g., trigger a session save unconditionally when the session timestamp is older than session_write_interval.

This is a very weird issue. These are my observations so far:

Before #3414287: Avoid reading session from the database multiple times during a big pipe request (git switch --detach 4e26ae9cc3da8b8a90561716c4a53fdd6c07f8f6):

• Session cookies are refreshed when big pipe module is enabled (e.g., standard install)
• Session cookies are not refreshed when big pipe module is not enabled (e.g., minimal install)

After #3414287: Avoid reading session from the database multiple times during a big pipe request (git switch --detach 522404706e440106fe7e5d382ce018b0f89637d4):

• Session cookies are not refreshed when big pipe module is enabled (e.g., standard install)
• Session cookies are not refreshed when big pipe module is not enabled (e.g., minimal install)

At least this is now consistently working as expected by @cilefen.

I think I might be running into this. I was using a very low gc_maxlifetime and gc_divisor set to 1 to test the behavior of an app with a webview when the session expires, and was surprised that no amount of navigating the site from a fresh cache clear could stop me getting logged out after the time has passed.

The session should end after gc_maxlifetime. No?

I think the unexpected behavior is that the session ends gc_maxlifetime after the session is created, regardless of how much you use the site within that period (rather than ending a minimum of gc_maxlifetime after the last access).

My observations suggest that the behavior is as follows:

• The timestamp column on the session record in the database is refreshed when the site is used (provided that the user hits an uncached route from time to time and provided that this happens in a time window between $settings['session_write_interval'] and gc_maxlifetime #17
• The expiry date on the cookie is never refreshed. #18 and #19.

If that is true, then I'd recommend to keep cookie_lifetime values high and only reduce the parameters which govern the session garbage collection for sites which require expiration of idle sessions.

I was just trying to edit my comment to say I didn't have a sufficiently low settings['session_write_interval'], but the update wouldn't submit...

Thanks @znerol for that and your other comments, they'd already pointed me in the right direction. (Although surprisingly with a setup like in #17 I'm finding I'm still logged-in after way more than 30s, will keep playing.)

(Although surprisingly with a setup like in #17 I'm finding I'm still logged-in after way more than 30s, will keep playing.)

You might be running into the edge case documented near the end of #17. If there is only activity in one tab from one user, then the session is not garbage collected.

Just a note related to #19 that since #3493911: Add a CachedPlaceholderStrategy to optimize render cache hits and reduce layout shift from big pipe, big pipe previously would have been active for pretty much any request with a session, but it now won't be with warm caches. It doesn't sound like this will make any difference at all here given that big pipe is no longer accidentally mitigating the issue anyway.