CakePHP Session Timeout on Inactivity only

Question

So the crux of this question is just how to prevent CakePHP from de-authenticating a session ONLY after a period of inactivity.

So, if the user does nothing then I e

Answer 1

While the timeout value resets on each pageview and hence provides the "inactivity timeout" you require, the browser's session cookie expiry date remains constant.

So while the Cake session would internally (internally = internal to Cake) still be alive if you refreshed on the 28th minute + 35th minute, the browser ends up deleting the session cookie after the 30th minute.

You can reset the session cookie expiry date via $this->Session->renew(). Or set autoRegenerate = true and requestCountdown = 1 and Cake will renew on each pageview.

(But it's kind of silly that you'd have to regenerate the session on every page view. As is, without renew(), the timeout value will never come into play because the cookie will always expire on a fixed date no matter how much activity. This seems like a bug but I haven't looked into a workaround.)