| Subject: | Expire sessions server-side, not just in cookie |
Currently a session is expired based on the cookie alone, so a user can keep a session alive by playing with the time values on his/her remote machine, by manipulating the cookie itself, etc. This is not OK for authentication purposes. The attached patch will ensure that session expiration is handled both by the cookie's expiry, and by an expiration field stored server-side in the session, which the user cannot touch.
Also some very minor doc changes.
CHANGE FROM PREVIOUS VERSIONS: the expiry time is now set in {auth}{expiry}, with a value given in seconds, not in {auth}{cookie_expiry} with a cookie expiration string. This seems better anyway.
Message body not shown because it is not plain text.