From af08328e8efff8ae7c5d39cfbdde15a7954525c1 Mon Sep 17 00:00:00 2001
From: Simon Gow <simon@silverstripe.com>
Date: Mon, 14 Jan 2019 14:35:58 +1300
Subject: [PATCH 1/2] Existing sessions need to set a new cookie on each
 request, if the session exists, otherwise our expiry is never updated and
 sessions can't roll on every request.

---
 src/Control/Session.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Control/Session.php b/src/Control/Session.php
index e2591d2c5..1b226c021 100644
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@@ -324,6 +324,12 @@ class Session
                 }
 
                 session_start();
+
+                // Session start emits a cookie, but only if there's no existing session. If there is a session tied to
+                // this request, make sure the session is held for the entire timeout by refreshing the cookie age.
+                if ($this->requestContainsSessionId($request)) {
+                    Cookie::set(session_name(), session_id(), $timeout / 86400, $path, $domain ?: null, $secure, true);
+                }
             } else {
                 // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
                 session_cache_limiter(null);

From c28670ebedd8d8ebe83421209790c50b3b1dd673 Mon Sep 17 00:00:00 2001
From: Simon Gow <simon@silverstripe.com>
Date: Fri, 18 Jan 2019 10:07:53 +1300
Subject: [PATCH 2/2] #8724 - Session timeout regression

Only emit the session refresh cookie if the session timeout is set.
---
 src/Control/Session.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Control/Session.php b/src/Control/Session.php
index 1b226c021..f0ad80545 100644
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@@ -325,9 +325,9 @@ class Session
 
                 session_start();
 
-                // Session start emits a cookie, but only if there's no existing session. If there is a session tied to
-                // this request, make sure the session is held for the entire timeout by refreshing the cookie age.
-                if ($this->requestContainsSessionId($request)) {
+                // Session start emits a cookie, but only if there's no existing session. If there is a session timeout
+                // tied to this request, make sure the session is held for the entire timeout by refreshing the cookie age.
+                if ($timeout && $this->requestContainsSessionId($request)) {
                     Cookie::set(session_name(), session_id(), $timeout / 86400, $path, $domain ?: null, $secure, true);
                 }
             } else {