security: forcibly expire old sessions #69
No reviewers
Labels
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: rDrama/rDrama#69
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "<deleted>:session-expiration"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
this helps to guard against a replay attack with session cookies.
we use the session for a number of things, including logged in status,
history, poorcel mode, etc. a user can be logged in indefinitely by
replaying their session cookie or doing something which resets the timer
(ex. toggling poor mode). this adds a session expiration to whatever the
SESSION_LIFETIME constant is, which shouldn't be too restrictive (login
sessions being valid for 1 year).
fixes problem that doesnt exist
check discord DMs
Pull request closed