Severity: MEDIUM
Location: src/Controllers/BaseController.php:158 vs src/Middleware/AuthMiddleware.php:48
Bug: Fallbacks disagree when SESSION_LIFETIME_MINUTES is absent.
Fix: Share a single constant for the fallback.
Status: open. Will reply with remediation details when resolved.
Resolved.
Unified the SESSION_LIFETIME_MINUTES fallback to 30 minutes across all callers so a missing env var can't produce a session that outlives AuthMiddleware's idle timeout:
src/Controllers/BaseController.php::rotateSessionRecord (was 120)src/Controllers/TwoFactorController.php::verify (was 120)Both now match src/Middleware/AuthMiddleware.php.
Locking this thread.