In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details [ Jump to Notes ] [ Wiki ]

[ View Advanced ] [ Issue History ] [ Print ]

Tags

No tags attached.

Reference

Change Log Message

Estimate Points

Attached Files

session_expiration_fix.patch [^] (4,902 bytes) 2009-11-11 13:08 [Show Content]

Index: kernel/db/db_event_handler.php
===================================================================
--- kernel/db/db_event_handler.php	(revision 12883)
+++ kernel/db/db_event_handler.php	(working copy)
@@ -536,6 +536,7 @@
 					$redirect_template = $this->Application->isAdmin ? 'no_permission' : $this->Application->ConfigValue('NoPermissionTemplate');
 
 					$redirect_params = $this->Application->HttpQuery->getRedirectParams(true);
+					$redirect_params['no_amp'] = 1;
 					$next_template = $this->Application->HREF('', '', $redirect_params);
 
 					$redirect_params = Array (
Index: kernel/processors/main_processor.php
===================================================================
--- kernel/processors/main_processor.php	(revision 12883)
+++ kernel/processors/main_processor.php	(working copy)
@@ -768,16 +768,26 @@
 
 		if ((!$this->Application->LoggedIn() || !$group_access) && $condition) {
 			$redirect_params = $this->Application->HttpQuery->getRedirectParams(true);
+			$redirect_params['no_amp'] = 1;
 
 			if (array_key_exists('pass_category', $params)) {
 				$redirect_params['pass_category'] = $params['pass_category'];
 			}
 
+			if (array_key_exists('expired', $redirect_params)) {
+				$session_expired = $redirect_params['expired'];
+				unset($redirect_params['expired']);
+			}
+
 			$redirect_params = Array (
 				'm_cat_id' => 0,
 				'next_template' => urlencode('external:' . $this->Application->HREF($t, '', $redirect_params)),
 			);
 
+			if (isset($session_expired) && $session_expired) {
+				$redirect_params['expired'] = $session_expired;
+			}
+
 			if ( $this->Application->LoggedIn() && !$group_access) {
 				$this->Application->Redirect($params['no_group_perm_template'], $redirect_params);
 			}
Index: kernel/session/session.php
===================================================================
--- kernel/session/session.php	(revision 12883)
+++ kernel/session/session.php	(working copy)
@@ -171,7 +171,7 @@
 		$query = ' DELETE FROM '.$this->SessionDataTable.' WHERE '.$this->IDField.' = '.$this->Conn->qstr($session->SID);
 		$this->Conn->Query($query);
 
-		$this->OriginalData = Array();
+		$this->DirectVars = $this->ChangedDirectVars = $this->OriginalData = Array();
 	}
 
 	function UpdateSession(&$session, $timeout=0)
@@ -503,6 +503,12 @@
 	 */
 	var $OptionalData = Array ();
 
+	/**
+	 * Session expiration mark
+	 *
+	 * @var bool
+	 */
+	var $expired = false;
 
 	function Session($mode = smAUTO)
 	{
@@ -595,10 +601,9 @@
 			return ;
 		}
 
-		$expired_sids = $this->DeleteExpired();
-		$my_sid_expired = in_array($this->CachedSID, $expired_sids);
+		$this->DeleteExpired();
 
-		if ( ($expired_sids && $my_sid_expired) || ($this->CachedSID && !$this->_fromGet && !$this->SessionSet) ) {
+		if ($this->expired || ($this->CachedSID && !$this->_fromGet && !$this->SessionSet)) {
 			$this->RemoveSessionCookie();
 			// true was here to force new session creation, but I (kostja) used
 			// RemoveCookie a line above, to avoid redirect loop with expired sid
@@ -608,6 +613,7 @@
 
 			// case #1: I've OR other site visitor expired my session
 			// case #2: I have no session in database, but SID is present
+			$this->expired = false;
 			$expire_event = new kEvent('u:OnSessionExpire');
 			$this->Application->HandleEvent($expire_event);
 		}
@@ -689,6 +695,13 @@
 	 */
 	function SetCookie($name, $value, $expires = null)
 	{
+		if (isset($expires) && $expires < adodb_mktime()) {
+			unset($this->Application->HttpQuery->Cookie[$name]);
+		}
+		else {
+			$this->Application->HttpQuery->Cookie[$name] = $value;
+		}
+
 		setcookie($name, $value, $expires, $this->CookiePath, $this->CookieDomain, $this->CookieSecure);
 	}
 
@@ -718,8 +731,13 @@
 
 			// If session has expired
 			if ($this->Expiration < adodb_mktime()) {
+				// when expired session is loaded, then SID is
+				// not assigned, but used in Destroy method
+				$this->SID = $sid;
 				$this->Destroy();
 
+				$this->expired = true;
+
 				// when Destory methods calls SetSession inside and new session get created
 				return $this->SessionSet;
 			}
@@ -729,6 +747,10 @@
 		}
 		else {
 			// fake or deleted due to expiration SID
+			if (!$this->_fromGet) {
+				$this->expired = true;
+			}
+
 			return false;
 		}
 	}
Index: units/helpers/permissions_helper.php
===================================================================
--- units/helpers/permissions_helper.php	(revision 12883)
+++ units/helpers/permissions_helper.php	(working copy)
@@ -266,6 +266,7 @@
 			if (!$perm_status) {
 				$t = $this->Application->GetVar('t');
 				$redirect_params = $this->Application->HttpQuery->getRedirectParams(true);
+				$redirect_params['no_amp'] = 1;
 				$next_template = $this->Application->HREF($t, '', $redirect_params);
 
 				$event->SetRedirectParam('m_cat_id', 0); // category means nothing on admin login screen

Relationships [ Relation Graph ] [ Dependency Graph ]

Notes
(0001080) Dmitry (manager) 2009-11-11 02:10	This is critical - we need to address this

(0001084) alex (manager) 2009-11-11 13:11	Done. Need to test expiration in all three session modes: auto, get only, cookies only. Expiration should happen when: 1. session is removed from db 2. session LastAccessed value + Expiration time is smaller then now Note: Session expiration will not happen when "get only" mode is used and session record is deleted from db, because for "get only" mode sid is added in url in any case and there is no way to know if it's really needed there.

(0001085) alex (manager) 2009-11-11 13:11	Fix committed to 5.0.x branch. Commit Message: Fixes 0000423: Session expiration doesn't happen at all

(0001086) alex (manager) 2009-11-11 13:11	Reminder sent to: Dmitry Test.

(0001330) Dmitry (manager) 2010-01-11 22:05	Closing completed tasks.

Related Changesets
In-Portal CMS: 5.0.x r12898 Timestamp: 2009-11-11 13:11:30 Author: alex [ Details ] [ Diff ]	Fixes 0000423: Session expiration doesn't happen at all
	mod - /in-portal/branches/5.0.x/core/kernel/db/db_event_handler.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.0.x/core/kernel/processors/main_processor.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.0.x/core/kernel/session/session.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.0.x/core/units/helpers/permissions_helper.php	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2010-01-11 22:05	Dmitry	Note Added: 0001330
2010-01-11 22:05	Dmitry	Status	resolved => closed
2009-11-11 13:11	alex	Issue Monitored: Dmitry
2009-11-11 13:11	alex	Note Added: 0001086
2009-11-11 13:11	alex	Note Added: 0001085
2009-11-11 13:11	alex	Status	needs testing => resolved
2009-11-11 13:11	alex	Fixed in Version	=> 5.0.2-B1
2009-11-11 13:11	alex	Resolution	open => fixed
2009-11-11 13:11	alex	Assigned To	!COMMUNITY => alex
2009-11-11 13:11	alex	Changeset attached	5.0.x r12898
2009-11-11 13:11	alex	Note Added: 0001084
2009-11-11 13:11	alex	Assigned To	alex => !COMMUNITY
2009-11-11 13:11	alex	Status	needs work => needs testing
2009-11-11 13:08	alex	File Added: session_expiration_fix.patch
2009-11-11 02:10	Dmitry	Note Added: 0001080
2009-11-11 02:10	Dmitry	Assigned To	=> alex
2009-11-11 02:10	Dmitry	Priority	normal => critical
2009-11-11 02:10	Dmitry	Status	active => needs work
2009-11-10 08:05	alex	Target Version	=> 5.0.2
2009-11-10 08:05	alex	New Issue

Web Development by Intechnic

In-Portal Open Source CMS