Skip to content

fix: change handling of cookies

Mario Oenning requested to merge moson/aurweb:fix-cookies into master
  • Settings for authenticated users are retrieved from the DB and don't need to be stored as a cookie (AURTZ, AURLANG).
  • Fix AURREMEMBER cookie check. Currently always evaluates to bool->True, although the cookie value is "False"
  • AURREMEMBER should be a persistent cookie, otherwise it might happen that the AURSID lifetime is reset to the minimal lifetime even though the user ticked the "Remember me" box when logging in.
  • If "remember me" was not ticked we make AURSID a session cookie instead of short-lived permanent one.
  • Make AURLANG a "permanent" cookie with 400 days lifetime (no need for a non-authed user to constantly set the language again)
  • Don't refresh cookies during requests (not required): AURLANG, AURREMEMBER are valid 400 days with the changes above. AURREMEMBER is (re)set on login, so latest every 30 days it's renewed anyways. AURSID is either a session cookie or valid for 30 days.

Note that a users session validity is checked with every request.
This is currently either 2 hours ("remember me" on) or 30 days ("remember me" off).
With this MR we just adapt cookie lifetimes and fix a few glitches to increase convenience for the user, mainly noticeable for unauthenticated users (-> language setting) and for those where session cookies vanish on browser-close (which should be the default behavior of a browser).

We might want to increase the config setting login_timeout (the shorter one / when "remember me" = False) to 4 hours or so.

Signed-off-by: moson-mo

Edited by Mario Oenning

Merge request reports