Bug #378
closed
session timeout in user manager
0%
Description
This is for the user manager (System -> User Manager -> Settings). The Session timeout message is not very specific. Is says "integer 1 or greater" but has a max of 999. I would like to ask that the maximum limit be put into the error message and also that the maximum is increased. 1 day (1440 minutes) would be sufficent for me but a higher limit may be good for other people. Also, you can put zero "0" as an option without an error. Optionally "Never" would be nice as I would only log into this from a trusted source.
Here is the current code:
/usr/local/www/system_usermanager_settings.php
72 if($_POST['session_timeout']) {
73 $timeout = intval($_POST['session_timeout']);
74 if ($timeout != "" && !is_numeric($timeout))
75
76 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
77
78 if ($timeout < 1)
79 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
80
81 if ($timeout > 999)
82 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
83 }Here is the code with the changes I described:
72 if($_POST['session_timeout']) {
73 $timeout = intval($_POST['session_timeout']);
74 if ($timeout != "" && !is_numeric($timeout))
75
76 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
77
78 if ($timeout < 1)
79 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
80
81 if ($timeout > 16384 || $timeout = 0)
82 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
83 }
Updated by Chris Buechler over 14 years ago
- Category set to User Manager / Privileges
- Priority changed from Low to High
- Target version set to 2.0
- Affected Version set to 2.0
Prior to today, it defaulted to never timing out, which is bad. Even if only used from a "trusted" host, leaving an active session open indefinitely opens security holes if you use that browser to access anything else. You should use a browser for administration that you don't use for any general web access, but most people don't do that.
This area needs some further review.
1) A double check of my commit fixing things up.
2) Entering 0 in the timeout doesn't actually set 0 in config.xml, I presume because of the intval used there. Needs to verify it's an integer, and any number >= 0 is acceptable.
Updated by Roop Singh over 14 years ago
i see some changes have been made to last night's snapshots. it looks much better.
it does take negative values however. putting "-1" and saving it results in not be able to log in until you manually change the config.
Updated by Ermal Luçi over 14 years ago
- Status changed from New to Feedback
Try latest snapshots which have improvements.
Updated by Chris Buechler over 14 years ago
- Status changed from Feedback to New
Still a minor issue here. It says leave blank to never time out sessions, but it's blank by default, with the default of a 4 hour timeout. Blank should be the default timeout, and 0 should cause it to never time out.