Permit setting the PHP session expiry time
More and more people (I guess that's just because we are more and more people) are reporting frustration about the PHP sessions expiry.
In fact, we don't really manage them, server-side: the code in main/inc/lib/main_api.lib.php::api_session_start() only checks data from the session itself, so if anything happen to the session file or to the cookie, or for some reason the time is considered to have expired, the user looses his session.
To avoid this, we could just use the last activity time from the track_e_online table, which normally only contains one entry per user (and is always updated when the user loads a new page). When the user connects the next time, we check the value of the current time (time()) - $_configuration['session_lifetime'] (the maximum session time). It it is higher than track_e_login.login_date where login_user_id = api_get_user_id(), then we expire the session straight away, otherwise we re-use the session data. If there is no session data, we have to expire the user's session.
It is important to always give the maximum time to the user's session the first time then, so the session_lifetime setting will never be ignored because the cookie expires first.
Finally, the $_configuration['session_lifetime'] shouldn't be in the configuration file. It should be a database setting, changeable by URL, so that it can be changed by the admin of any portal.
This should be much easier to test than the current configuration, because we will finally be able to control the expiration, independently of the server's configuration.