Project

General

Profile

Bug #378

session timeout in user manager

Added by Roop Singh over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
User manager
Target version:
Start date:
02/24/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

This is for the user manager (System -> User Manager -> Settings). The Session timeout message is not very specific. Is says "integer 1 or greater" but has a max of 999. I would like to ask that the maximum limit be put into the error message and also that the maximum is increased. 1 day (1440 minutes) would be sufficent for me but a higher limit may be good for other people. Also, you can put zero "0" as an option without an error. Optionally "Never" would be nice as I would only log into this from a trusted source.

Here is the current code:

/usr/local/www/system_usermanager_settings.php

72         if($_POST['session_timeout']) {
73 $timeout = intval($_POST['session_timeout']);
74 if ($timeout != "" && !is_numeric($timeout))
75
76 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
77
78 if ($timeout < 1)
79 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
80
81 if ($timeout > 999)
82 $input_errors[] = gettext("Session timeout must be an integer with value 1 or greater.");
83 }

Here is the code with the changes I described:

72         if($_POST['session_timeout']) {
73 $timeout = intval($_POST['session_timeout']);
74 if ($timeout != "" && !is_numeric($timeout))
75
76 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
77
78 if ($timeout < 1)
79 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
80
81 if ($timeout > 16384 || $timeout = 0)
82 $input_errors[] = gettext("Session timeout must be an integer with value 1 to 16384.");
83 }

Associated revisions

Revision 8cd27a98 (diff)
Added by Ermal Luçi over 9 years ago

Do not allow negative numbers in session timeout. Ticket #378.

Revision 02647583 (diff)
Added by Ermal Luçi about 9 years ago

Ticket #378. Correctly handle a timeout of 0 to mean never timeout.

Revision b567f589 (diff)
Added by Ermal Luçi about 9 years ago

Ticket #378. Correct text to reflect the allowed 0 value.

History

#1 Updated by Chris Buechler over 9 years ago

  • Category set to User manager
  • Priority changed from Low to High
  • Target version set to 2.0
  • Affected Version set to 2.0

Prior to today, it defaulted to never timing out, which is bad. Even if only used from a "trusted" host, leaving an active session open indefinitely opens security holes if you use that browser to access anything else. You should use a browser for administration that you don't use for any general web access, but most people don't do that.

This area needs some further review.

1) A double check of my commit fixing things up.
2) Entering 0 in the timeout doesn't actually set 0 in config.xml, I presume because of the intval used there. Needs to verify it's an integer, and any number >= 0 is acceptable.

#2 Updated by Roop Singh over 9 years ago

i see some changes have been made to last night's snapshots. it looks much better.

it does take negative values however. putting "-1" and saving it results in not be able to log in until you manually change the config.

#3 Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

Try latest snapshots which have improvements.

#4 Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to New

Still a minor issue here. It says leave blank to never time out sessions, but it's blank by default, with the default of a 4 hour timeout. Blank should be the default timeout, and 0 should cause it to never time out.

#5 Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback

#6 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF