So the crux of this question is just how to prevent CakePHP from de-authenticating a session ONLY after a period of inactivity.

So, if the user does nothing then I expect CakePHP to log them out after a period of 30 minutes. However, if the user chooses to visit a page on the 28th minute of inactivity, then CakePHP should 'reset' it's timeout counter.

This currently isn't happening. Regardless of activity, CakePHP times out after the specified time in my core configuration (app/Config/core.php).

Here's my config code:

Configure::write('Session', array(
    'defaults' => 'cake',
    'timeout' => '30'
));

Any ideas?

After running into the same problem I've found that this was caused by the Session.cookieTimeout value. Although the php session was still valid, the expiration date on the session cookie does not get refreshed.

This is now my session config

Configure::write('Session', array(
        'defaults' => 'php',
        'timeout' => 30, // The session will timeout after 30 minutes of inactivity
        'cookieTimeout' => 1440, // The session cookie will live for at most 24 hours, this does not effect session timeouts
        'checkAgent' => false,
        'autoRegenerate' => true, // causes the session expiration time to reset on each page load
    ));

While the timeout value resets on each pageview and hence provides the "inactivity timeout" you require, the browser's session cookie expiry date remains constant.

So while the Cake session would internally (internally = internal to Cake) still be alive if you refreshed on the 28th minute + 35th minute, the browser ends up deleting the session cookie after the 30th minute.

You can reset the session cookie expiry date via $this->Session->renew(). Or set autoRegenerate = true and requestCountdown = 1 and Cake will renew on each pageview.

(But it's kind of silly that you'd have to regenerate the session on every page view. As is, without renew(), the timeout value will never come into play because the cookie will always expire on a fixed date no matter how much activity. This seems like a bug but I haven't looked into a workaround.)

I had the same issue and I fixed it by using the autoRegenerate option:

Configure::write(
    'Session',
    array(
        'defaults' => 'cake',
        'timeout' => '30',
        'autoRegenerate' => true
    )
);

You could also use $this->Session->renew(); in your AppController.php class, but the above solution is my favourite.

the answer of Rob Forrest is the right one

Configure::write('Session', array(
        'defaults' => 'php',
        'timeout' => 30, // The session will timeout after 30 minutes of inactivity
        'cookieTimeout' => 1440
));

cookieTimeout should be larger than timeout if you want session to be expired on inactivity only then you need to set cookieTimeout for very large number (for example 60*24*10 (10 days ))

    Configure::write('Session', array(
    'defaults' => 'cake',
    'timeout' => 1440, // The session will timeout after 30 minutes of inactivity
    'cookieTimeout' => 1440, // The session cookie will live for at most 24 hours, this does not effect session timeouts
    'checkAgent' => false,
    'autoRegenerate' => true, // causes the session expiration time to reset on each page load
));

This works, though the session ends after few hours it is still better than ending in minutes.