-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session never expires #1677
Merged
Merged
Session never expires #1677
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch sends updated session cookies to the browser when the session is refreshed on the server. This allows the session cookie to expire on the browser at the same time the session timeout occurs at the server. In the event the session timeout is configured in osTicket not to expire, the cookie will expire after seven days on the client browser, and will expire in PHP when it is garbage collected sometime after 86400 seconds after the time last refresh time. Using this method, the session will never expire if the session timeout in osTicket is configured to 0, and the session is refreshed at least daily.
@@ -140,6 +142,13 @@ function refreshSession($force=false){ | |||
|
|||
$this->token = $this->getSessionToken(); | |||
//TODO: separate expire time from hash?? | |||
|
|||
setcookie(session_name(), session_id(), | |||
($time ?: time()) + ($cfg->getClientTimeout() ?: 604800), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should just use the SESSION_TTL here since PHP will likely drop the session before this number of seconds, and then the client would keep sending two cookies until the first expired.
protich
added a commit
that referenced
this pull request
Feb 10, 2015
Session never expires Reviewed-By: Peter Rotich <peter@osticket.com>
zaphoyd
added a commit
to HumanitiesComputing/osTicket-1.8
that referenced
this pull request
Mar 27, 2015
v1.9.6 Maintenance release for the osTicket 1.9 series Enhancements * New Message-Id system allowing for better threading in mail clients (osTicket#1549, osTicket#1730) * Fix forced session expiration after 24 hours (osTicket#1677) * Staff panel logo is customizable (osTicket#1718) * Priority fields have a selectable default (instead of system default) (osTicket#1732) * Import/Export support for file contents via cli (osTicket#1661) Improvements * Fix broken links in documentation, thanks @Chefkeks (osTicket#1675) * Fix handling of some Redmond-specific character set encoding names (osTicket#1698) * Include the user's name in the "To" field of outbound email (osTicket#1549) * Delete collaborators when deleting tickets (osTicket#1709) * Fix regression preventing auto-responses for staff new tickets (osTicket#1712) * Fix empty export if ticket details form has multiple priority fields (osTicket#1732) * Fix filtering by list item properties in ticket filters (osTicket#1741) * Fix missing icon for "add new filter", thanks @Chefkeks (osTicket#1735) * Support Firefox v6 - v12 on the file drop widget (osTicket#1776) * Show update errors on access templates (osTicket#1778) * Allow empty staff login banner on update (osTicket#1778) * Fix corruption of text thread bodies for third-party collaborator email posts (osTicket#1794) * Add some hidden template variables to pop out content (osTicket#1781) * Fix missing validation for user name and email address (osTicket#1816, eb8858e) * Turn off search indexing when complete, disable incorrectly implemented work breaking, squelch error 1062 email from search backend (afa9692) * Fix possible out of memory crash in custom forms (osTicket#1707, 0440111) Performance and Security * Fix generation of random data on Windows® platforms (osTicket#1672) * Fix possible DoS and brute force on login pages (osTicket#1727) * Fix possible redirect away from HTTPS on client login page, thanks @ldrumm (osTicket#1782)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch sends updated session cookies to the browser when the session is refreshed on the server. This allows the session cookie to expire on the browser at the same time the session timeout occurs at the server. In the event the session timeout is configured in osTicket not to expire, the cookie will expire after seven days on the client browser, and will expire in PHP when it is garbage collected sometime after 86400 seconds after the time last refresh time.
Using this method, the session will never expire if the session timeout in osTicket is configured to 0, and the session is refreshed at least daily.
This patch also forces the client to delete the cookie at logout.