[geeklog-hg] [Geeklog-Core/geeklog] f688d4: Fixes for session handling and auto login

Tom noreply at github.com
Tue Dec 17 12:36:19 EST 2019 

  Branch: refs/heads/master
  Home:   https://github.com/Geeklog-Core/geeklog
  Commit: f688d4e0f5f9a682bffef94b663e047aa2e1379d
      https://github.com/Geeklog-Core/geeklog/commit/f688d4e0f5f9a682bffef94b663e047aa2e1379d
  Author: eSilverStrike <eSilverStrike at users.noreply.github.com>
  Date:   2019-12-17 (Tue, 17 Dec 2019)

  Changed paths:
    M language/english.php
    M language/english_utf-8.php
    M language/japanese_utf-8.php
    M public_html/admin/auth.inc.php
    M public_html/admin/configuration_validation.php
    M public_html/docs/english/config.html
    M public_html/docs/japanese/config.html
    M public_html/layout/denim/preferences/profile.thtml
    M public_html/layout/denim_three/preferences/profile.thtml
    M public_html/layout/modern_curve/preferences/profile.thtml
    M public_html/users.php
    M public_html/usersettings.php
    M system/lib-sessions.php
    M system/lib-webservices.php

  Log Message:
  -----------
  Fixes for session handling and auto login

For issue #1006 and #1008

- Added min and max range for session timeout config option so admin user cannot create a session timeout that is to short (min timeout possible is now 5 minutes)
- Autologin expiry now includes session timeout so it can never be lower than session timeout
- User Settings page includes a tooltip now better explaining how “Remember Me For” works
- Autologin Key expiry once set does not change. This is for better security as it will force a manual login at some point (as long as the session gets to expire due to inactivity from the user)
- If cookie does not match stored hash then new cookie key and hash generated which keeps same expiry as old hash

Also fixes for issues created because we don’t delete expired sessions and autologin keys on every page load for all users (because it is expensive to run), ONLY on when a  new session is actually created. This could cause issues for websites that don’t get many new visitors but only existing users, especially if they keep visiting the website before their session expires due to inactivity. This means SESS_sessionCheck now checks if current session found for user along with key if expired or not which results in a little bit of extra overhead on each page load.

More information about the geeklog-cvs mailing list