Cookies not expiring when the browser closes
Submitted by phpuser on Fri, 03/21/2008 - 14:37.
| Project: | ProjectPier |
| Version: | 0.8.0.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed - by issue author |
Description
Overview
-----------
Cookies not being cleared when the user closes the browser (all browsers). This could lead to a false sense of security by the user.
Server Details
---------------
ProjectPier: 0.8.2
Ubuntu: 6.10
Apache: 2.2.3
PHP: 5.2.1
Broswers: All major browsers
Steps to reproduce
-------------------
Login to ProjectPier with any browser. Close the browser and reopen and browse back to ProjectPier to be automatically logged back in.
Proposed solution
------------------
In Cookie::setValue, change such that if a NULL $expiration is passed in, pass that NULL value on to the setcookie function so the cookie will be removed when the session is over.
Property changes on: upload
___________________________________________________________________
Name: svn:ignore
+ *
Property changes on: cache
___________________________________________________________________
Name: svn:ignore
+ *
Index: application/models/CompanyWebsite.class.php
===================================================================
--- application/models/CompanyWebsite.class.php (revision 146)
+++ application/models/CompanyWebsite.class.php (working copy)
@@ -223,7 +223,7 @@
$user->save();
} // if
- $expiration = $remember ? REMEMBER_LOGIN_LIFETIME : SESSION_LIFETIME;
+ $expiration = $remember ? REMEMBER_LOGIN_LIFETIME : null;
Cookie::setValue('id'.TOKEN_COOKIE_NAME, $user->getId(), $expiration);
Cookie::setValue(TOKEN_COOKIE_NAME, $user->getTwistedToken(), $expiration);
Index: environment/classes/Cookie.class.php
===================================================================
--- environment/classes/Cookie.class.php (revision 146)
+++ environment/classes/Cookie.class.php (working copy)
@@ -28,6 +28,7 @@
* @return null
*/
static function setValue($name, $value, $expiration = null) {
+
$expiration_time = DateTimeValueLib::now();
if ((integer) $expiration > 0) {
$expiration_time->advance($expiration);
@@ -35,11 +36,14 @@
$expiration_time->advance(3600); // one hour
} // if
+ // if $expiration is null, set the cookie to expire when the session is over
+ $expiration_timestamp = is_null($expiration) ? null : $expiration_time->getTimestamp();
+
$path = defined('COOKIE_PATH') ? COOKIE_PATH : '/';
$domain = defined('COOKIE_DOMAIN') ? COOKIE_DOMAIN : '';
$secure = defined('COOKIE_SECURE') ? COOKIE_SECURE : false;
- setcookie($name, $value, $expiration_time->getTimestamp(), $path, $domain, $secure);
+ setcookie($name, $value, $expiration_timestamp, $path, $domain, $secure);
} // setValue
/**
Property changes on: config
___________________________________________________________________
Name: svn:ignore
+ *
Property changes on: public/assets/themes
___________________________________________________________________
Name: svn:ignore
+ *
Updated status to code review
Thanks phpuser, committed as r150.
Automatically closed -- issue fixed for two weeks with no activity.
How do i apply this patch?
Thanks,
Aaron B. Allison
http://projectpier.org/patch/apply