Skip Menu |

This queue is for tickets about the Maypole-Authentication-UserSessionCookie CPAN distribution.

Report information
The Basics
Id: 6483
Status: new
Priority: 0/
Queue: Maypole-Authentication-UserSessionCookie

People
Owner: Nobody in particular
Requestors: jester [...] panix.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

Attachments


Subject: Expire sessions server-side, not just in cookie
Currently a session is expired based on the cookie alone, so a user can keep a session alive by playing with the time values on his/her remote machine, by manipulating the cookie itself, etc. This is not OK for authentication purposes. The attached patch will ensure that session expiration is handled both by the cookie's expiry, and by an expiration field stored server-side in the session, which the user cannot touch. Also some very minor doc changes. CHANGE FROM PREVIOUS VERSIONS: the expiry time is now set in {auth}{expiry}, with a value given in seconds, not in {auth}{cookie_expiry} with a cookie expiration string. This seems better anyway.
Download M-A-USC-patch
application/octet-stream 2.3k

Message body not shown because it is not plain text.