Reduce session lifetime to 3h, clear cookies before login.

6a10f473 · marcel · d42718c3 · 6a10f473 · 6a10f473
Commit 6a10f473 authored Jun 16, 2017 by marcel
--- a/vispa/controller/root.py
+++ b/vispa/controller/root.py
@@ -68,6 +68,12 @@ class RootController(AbstractController):
        elif len(self.cache_bust) == 0:
             self.cache_bust = None

+    @classmethod
+    def expire_cookie(cls, name):
+        cherrypy.response.cookie[name] = ""
+        cherrypy.response.cookie[name]["expires"] = 0
+        cherrypy.response.cookie[name]["max-age"] = 0
+
    def mount_extension_controller(self, mountpoint, controller):
        if hasattr(self.extensions, mountpoint):
            logger.warning("Controller mountpoint already exists: %s" % mountpoint)
@@ -179,6 +185,12 @@ class RootController(AbstractController):
        if "user_id" in cherrypy.session:
            raise cherrypy.HTTPRedirect(path)

+        # delete all cookies except for the session id
+        session_key = cherrypy.serving.request.config.get("tools.sessions.name", "session_id")
+        for key in cherrypy.response.cookie.keys():
+            if key != session_key:
+                self.expire_cookie(key)
+
        login = cherrypy.request.login
        if login and vispa.config("user", "remote.enabled", False):
            user = User.get_by_name(db, login)
@@ -201,7 +213,6 @@ class RootController(AbstractController):
            vispa.fire_callback("user.login", user)
            raise cherrypy.HTTPRedirect(path)

-
        welcome_phrase = vispa.config("web", "text.welcome", "")
        login_text = vispa.config("web", "text.login", "")
        registration_text = vispa.config("web", "text.registration", "")
@@ -258,9 +269,7 @@ class RootController(AbstractController):

        # remove all cookies
        for key in cherrypy.response.cookie.keys():
-            cherrypy.response.cookie[key] = ""
-            cherrypy.response.cookie[key]["expires"] = 0
-            cherrypy.response.cookie[key]["max-age"] = 0
+            self.expire_cookie(key)

        raise cherrypy.HTTPRedirect(vispa.url.dynamic(path))


--- a/vispa/server.py
+++ b/vispa/server.py
@@ -167,7 +167,7 @@ class Server(object):
                'tools.sessions.path': urlparse(base_dynamic).path,
                'tools.sessions.storage_type': 'file',
                'tools.sessions.storage_path': vispa.datapath('sessions'),
-                'tools.sessions.timeout': 1440,
+                'tools.sessions.timeout': 180,
                'tools.staticdir.on': False,
                'tools.gzip.on': True,
                'tools.gzip.mime_types': ['text/html', 'text/css',