From f19eefcfe76b16fa2c1fb6e3b1059ab5e87542fe Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Wed, 14 Dec 2022 17:59:00 -0600
Subject: [PATCH] security: forcibly expire old sessions this helps to guard
 against a replay attack with session cookies. we use the session for a number
 of things, including logged in status, history, poorcel mode, etc. a user can
 be logged in indefinitely by replaying their session cookie or doing
 something which resets the timer (ex. toggling poor mode). this adds a
 session expiration to whatever the SESSION_LIFETIME constant is, which
 shouldn't be too restrictive (login sessions being valid for 1 year).

---
 files/routes/wrappers.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/files/routes/wrappers.py b/files/routes/wrappers.py
index fb7998c78..23055078b 100644
--- a/files/routes/wrappers.py
+++ b/files/routes/wrappers.py
@@ -22,6 +22,13 @@ def get_logged_in_user():
 			v = client.user
 			v.client = client
 	else:
+		session_expiration = session.get("lo_user_expiration")
+		if session_expiration:
+			if time.time() - session_expiration > SESSION_LIFETIME:
+				session.pop("lo_user", None)
+		else:
+			session["lo_user_expiration"] = time.time() + SESSION_LIFETIME
+
 		lo_user = session.get("lo_user")
 		if lo_user:
 			id = int(lo_user)