From c28670ebedd8d8ebe83421209790c50b3b1dd673 Mon Sep 17 00:00:00 2001
From: Simon Gow <simon@silverstripe.com>
Date: Fri, 18 Jan 2019 10:07:53 +1300
Subject: [PATCH] #8724 - Session timeout regression

Only emit the session refresh cookie if the session timeout is set.
---
 src/Control/Session.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Control/Session.php b/src/Control/Session.php
index 1b226c021..f0ad80545 100644
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@@ -325,9 +325,9 @@ class Session
 
                 session_start();
 
-                // Session start emits a cookie, but only if there's no existing session. If there is a session tied to
-                // this request, make sure the session is held for the entire timeout by refreshing the cookie age.
-                if ($this->requestContainsSessionId($request)) {
+                // Session start emits a cookie, but only if there's no existing session. If there is a session timeout
+                // tied to this request, make sure the session is held for the entire timeout by refreshing the cookie age.
+                if ($timeout && $this->requestContainsSessionId($request)) {
                     Cookie::set(session_name(), session_id(), $timeout / 86400, $path, $domain ?: null, $secure, true);
                 }
             } else {