security: forcibly expire old sessions

this helps to guard against a replay attack with session cookies. we use the session for a number of things, including logged in status, history, poorcel mode, etc. a user can be logged in indefinitely by replaying their session cookie or doing something which resets the timer (ex. toggling poor mode). this adds a session expiration to whatever the SESSION_LIFETIME constant is, which shouldn't be too restrictive (login sessions being valid for 1 year).
2022-12-14 17:59:00 -06:00 · 2022-12-14 17:59:00 -06:00 · f19eefcfe7
parent 10dc8a37ac
commit f19eefcfe7
1 changed files with 7 additions and 0 deletions
--- a/files/routes/wrappers.py
+++ b/files/routes/wrappers.py
@ -22,6 +22,13 @@ def get_logged_in_user():
 			v = client.user
 			v.client = client
 	else:
+		session_expiration = session.get("lo_user_expiration")
+		if session_expiration:
+			if time.time() - session_expiration > SESSION_LIFETIME:
+				session.pop("lo_user", None)
+		else:
+			session["lo_user_expiration"] = time.time() + SESSION_LIFETIME
+
 		lo_user = session.get("lo_user")
 		if lo_user:
 			id = int(lo_user)