aboutsummaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/application_controller.rb25
-rw-r--r--app/controllers/user_controller.rb10
2 files changed, 26 insertions, 9 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1ccf7e5db..a06fa7098 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base
before_filter :check_in_post_redirect
before_filter :session_remember_me
before_filter :set_vary_header
+ before_filter :validate_session_timestamp
+ after_filter :persist_session_timestamp
def set_vary_header
response.headers['Vary'] = 'Cookie'
@@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base
end
end
+ # Set a TTL for non "remember me" sessions so that the cookie
+ # is not replayable forever
+ SESSION_TTL = 3.hours
+ def validate_session_timestamp
+ if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago
+ clear_session_credentials
+ redirect_to signin_path
+ end
+ end
+
+ def persist_session_timestamp
+ session[:ttl] = Time.now if session[:user_id] && !session[:remember_me]
+ end
+
+ # Logout form
+ def clear_session_credentials
+ session[:user_id] = nil
+ session[:user_circumstance] = nil
+ session[:remember_me] = false
+ session[:using_admin] = nil
+ session[:admin_name] = nil
+ end
+
def render_exception(exception)
# In development or the admin interface let Rails handle the exception
# with its stack trace templates
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..9798ff8e2 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -260,16 +260,8 @@ class UserController < ApplicationController
do_post_redirect post_redirect
end
- # Logout form
- def _do_signout
- session[:user_id] = nil
- session[:user_circumstance] = nil
- session[:remember_me] = false
- session[:using_admin] = nil
- session[:admin_name] = nil
- end
def signout
- self._do_signout
+ clear_session_credentials
if params[:r]
redirect_to params[:r]
else