[Bug] Can't login without keep alive checkbox, auth cookie instantly removed

[rioky]

Describe the bug

Can't login without checking "keep alive"

To Reproduce

1. Go to login page
2. Input your data
3. Press login button without checking keep alive option
4. Instantly redirect to login page

Expected behavior

Simple login in app

FreshRSS version

1.28.0

System information

• Database version: mariadb 11.8.5
• PHP version: 8.4.10
• Installation type: latest release package
• Web server type: nginx
• Device: any
• OS: any
• Browser: any

Additional context

fix_cookie_autoremove.patch
solved with patch from AI, we found problem in Minz setting expire time to 1970 year instead of current time

[Inverle]

Could you provide more details maybe? I have a similar setup and can't reproduce this issue.
I am particularly interested in what the Set-Cookie header sent back from the login response looks like. (before the AI patch)

[rioky]

Before patch:

set-cookie: FreshRSS=d0eb17646a673b9651916242f9a1bcb1; expires=Sat, 31 Jan 1970 00:00:00 GMT; Max-Age=0; path=/i/; secure; HttpOnly

After patch:

set-cookie: FreshRSS=cd1f2948c0dbdfe1781fe121a88c9eb0; expires=Sat, 14 Feb 2026 20:34:29 GMT; Max-Age=2592000; path=/i/; secure; HttpOnly

Added part of php.ini:

[Date]
date.timezone = 'UTC'
[Session]
session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379?auth[user]=php-session&auth[pass]=php-session"
session.use_strict_mode = 1
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 2592000
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 2592000
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.trans_sid_tags = "a=href,area=href,frame=src,form="

[Alkarex]

Hello,
I cannot reproduce the problem on my side. On which platform is your FreshRSS running, and how did you install it (git, Docker...)?

[rioky]

linux, for now opensuse 16.0, nginx, mariadb, php-fpm, redis as session storage (also tried filestorage)
initially downloaded 1.24.1 version tar.gz from github, after that many updates to 1.28.0 from webui

edit: after found bug, tried download clean 1.28.0 version from github and bug exists

[Alkarex]

@rioky Would you be able to make a pull request?

[Alkarex]

Explanation: the default value for session.cookie_lifetime is 0, which is the standard for browser sessions, where the session must be closed when the browser window is closed.
However, it is possible for server admins to modify this value, which we support in FreshRSS, but there was an error in this case, which is fixed by the patch.
I do not know why one would chose to have a value different than 0 for session.cookie_lifetime though.
https://php.net/session.configuration#ini.session.cookie-lifetime