security: forcibly expire old sessions
this helps to guard against a replay attack with session cookies. we use the session for a number of things, including logged in status, history, poorcel mode, etc. a user can be logged in indefinitely by replaying their session cookie or doing something which resets the timer (ex. toggling poor mode). this adds a session expiration to whatever the SESSION_LIFETIME constant is, which shouldn't be too restrictive (login sessions being valid for 1 year).pull/69/head
parent
10dc8a37ac
commit
f19eefcfe7
|
@ -22,6 +22,13 @@ def get_logged_in_user():
|
|||
v = client.user
|
||||
v.client = client
|
||||
else:
|
||||
session_expiration = session.get("lo_user_expiration")
|
||||
if session_expiration:
|
||||
if time.time() - session_expiration > SESSION_LIFETIME:
|
||||
session.pop("lo_user", None)
|
||||
else:
|
||||
session["lo_user_expiration"] = time.time() + SESSION_LIFETIME
|
||||
|
||||
lo_user = session.get("lo_user")
|
||||
if lo_user:
|
||||
id = int(lo_user)
|
||||
|
|
Loading…
Reference in New Issue