3 files changed, 55 insertions, 9 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1ccf7e5db..a06fa7098 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base
     before_filter :check_in_post_redirect
     before_filter :session_remember_me
     before_filter :set_vary_header
+    before_filter :validate_session_timestamp
+    after_filter  :persist_session_timestamp
 
     def set_vary_header
         response.headers['Vary'] = 'Cookie'
@@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base
         end
     end
 
+    # Set a TTL for non "remember me" sessions so that the cookie
+    # is not replayable forever
+    SESSION_TTL = 3.hours
+    def validate_session_timestamp
+        if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago
+            clear_session_credentials
+            redirect_to signin_path
+        end
+    end
+
+    def persist_session_timestamp
+        session[:ttl] = Time.now if session[:user_id] && !session[:remember_me]
+    end
+
+    # Logout form
+    def clear_session_credentials
+        session[:user_id] = nil
+        session[:user_circumstance] = nil
+        session[:remember_me] = false
+        session[:using_admin] = nil
+        session[:admin_name] = nil
+    end
+
     def render_exception(exception)
         # In development or the admin interface let Rails handle the exception
         # with its stack trace templates
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..9798ff8e2 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -260,16 +260,8 @@ class UserController < ApplicationController
         do_post_redirect post_redirect
     end
 
-    # Logout form
-    def _do_signout
-        session[:user_id] = nil
-        session[:user_circumstance] = nil
-        session[:remember_me] = false
-        session[:using_admin] = nil
-        session[:admin_name] = nil
-    end
     def signout
-        self._do_signout
+        clear_session_credentials
         if params[:r]
             redirect_to params[:r]
         else
diff --git a/spec/controllers/general_controller_spec.rb b/spec/controllers/general_controller_spec.rb
index c0a9d57d3..4a7a0bb48 100644
--- a/spec/controllers/general_controller_spec.rb
+++ b/spec/controllers/general_controller_spec.rb
@@ -126,6 +126,35 @@ describe GeneralController, "when showing the frontpage" do
 
     end
 
+    describe 'when handling logged-in users' do
+
+        before do
+            @user = FactoryGirl.create(:user)
+            session[:user_id] = @user.id
+        end
+
+        it 'should set a time to live on a non "remember me" session' do
+            get :frontpage
+            response.body.should match @user.name
+            session[:ttl].should be_within(1).of(Time.now)
+        end
+
+        it 'should not set a time to live on a "remember me" session' do
+            session[:remember_me] = true
+            get :frontpage
+            response.body.should match @user.name
+            session[:ttl].should be_nil
+        end
+
+        it 'should end a logged-in session whose ttl has expired' do
+            session[:ttl] = Time.now - 4.hours
+            get :frontpage
+            response.should redirect_to signin_path
+            session[:user_id].should be_nil
+        end
+
+    end
+
 end