Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session never expires #1677

Merged
merged 2 commits into from
Feb 10, 2015
Merged

Session never expires #1677

merged 2 commits into from
Feb 10, 2015

Conversation

greezybacon
Copy link
Contributor

This patch sends updated session cookies to the browser when the session is refreshed on the server. This allows the session cookie to expire on the browser at the same time the session timeout occurs at the server. In the event the session timeout is configured in osTicket not to expire, the cookie will expire after seven days on the client browser, and will expire in PHP when it is garbage collected sometime after 86400 seconds after the time last refresh time.

Using this method, the session will never expire if the session timeout in osTicket is configured to 0, and the session is refreshed at least daily.

This patch also forces the client to delete the cookie at logout.

Session never expires
ee07213 
This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.
greezybacon
greezybacon reviewed Jan 14, 2015
View reviewed changes
include/class.usersession.php
@@ -140,6 +142,13 @@ function refreshSession($force=false){

$this->token = $this->getSessionToken();
//TODO: separate expire time from hash??

setcookie(session_name(), session_id(),
($time ?: time()) + ($cfg->getClientTimeout() ?: 604800),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should just use the SESSION_TTL here since PHP will likely drop the session before this number of seconds, and then the client would keep sending two cookies until the first expired.

protich added a commit that referenced this pull request Feb 10, 2015
@protich
Merge pull request #1677 from greezybacon/issue/session-expire
2bda5c9 
Session never expires

Reviewed-By: Peter Rotich <peter@osticket.com>
@protich protich merged commit 2bda5c9 into osTicket:develop Feb 10, 2015
zaphoyd added a commit to HumanitiesComputing/osTicket-1.8 that referenced this pull request Mar 27, 2015
@zaphoyd
Merge tag 'v1.9.6' into develop
62afce5 
v1.9.6

Maintenance release for the osTicket 1.9 series

Enhancements
  * New Message-Id system allowing for better threading in mail clients (osTicket#1549, osTicket#1730)
  * Fix forced session expiration after 24 hours (osTicket#1677)
  * Staff panel logo is customizable (osTicket#1718)
  * Priority fields have a selectable default (instead of system default) (osTicket#1732)
  * Import/Export support for file contents via cli (osTicket#1661)

Improvements
  * Fix broken links in documentation, thanks @Chefkeks (osTicket#1675)
  * Fix handling of some Redmond-specific character set encoding names (osTicket#1698)
  * Include the user's name in the "To" field of outbound email (osTicket#1549)
  * Delete collaborators when deleting tickets (osTicket#1709)
  * Fix regression preventing auto-responses for staff new tickets (osTicket#1712)
  * Fix empty export if ticket details form has multiple priority fields (osTicket#1732)
  * Fix filtering by list item properties in ticket filters (osTicket#1741)
  * Fix missing icon for "add new filter", thanks @Chefkeks (osTicket#1735)
  * Support Firefox v6 - v12 on the file drop widget (osTicket#1776)
  * Show update errors on access templates (osTicket#1778)
  * Allow empty staff login banner on update (osTicket#1778)
  * Fix corruption of text thread bodies for third-party collaborator email posts (osTicket#1794)
  * Add some hidden template variables to pop out content (osTicket#1781)
  * Fix missing validation for user name and email address (osTicket#1816, eb8858e)
  * Turn off search indexing when complete, disable incorrectly implemented work breaking, squelch error 1062 email from search backend (afa9692)
  * Fix possible out of memory crash in custom forms (osTicket#1707, 0440111)

Performance and Security
  * Fix generation of random data on Windows® platforms (osTicket#1672)
  * Fix possible DoS and brute force on login pages (osTicket#1727)
  * Fix possible redirect away from HTTPS on client login page, thanks @ldrumm (osTicket#1782)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@greezybacon @protich