Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Session Time-out (user)  (Read 4271 times)

0 Members and 1 Guest are viewing this topic.

Cees

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Session Time-out (user)
« on: January 13, 2004, 01:18:48 am »

I experienced that when closing my windows (IE) with Coppermine in it, surfing around, and returning to my album after a while (Coppermine of course) in another browser-window: I didn't need to log in.
I actually expected one of these situations to happen:
- either my session would have been timed-out, so am I able to configure a Session Length somewhere?
- besides I was surprised my log-in was still remembered in a different window

I'd like to fix this problem for I edit my album every now and then on a PC that is used by others as well. :wink:
For information: I did not enable "remember me" when entering my log-in info and yes, I did use the search of this forum but unfortunately could not find my answer.

Using:
Coppermine Photo Gallery: 1.2.1 / PHP version: 4.3.1 / mySQL version: 3.23.49-log

Cookies & Charset settings:  
Name of the cookie used by the script: cpg11d
Path of the cookie used by the script: /
Character encoding: Default (language file)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Session Time-out (user)
« Reply #1 on: January 13, 2004, 05:52:26 am »

coppermine doesn't use session, but relies on cookie-based login. If you haven't ticked the checkbox "Remember me" (which will keep the cookies life-time nearly-external) then your login is valid for as long as your pc is powered on (or rather: as long as you're logged in with the same user when using a multi-user system like WinNT or better or anything Lunix'ish). Plain cookie technology, nothing unexpected here...
What do you want the behaviour to be?

GauGau
Logged

Cees

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Session Time-out (user)
« Reply #2 on: January 13, 2004, 10:22:22 am »

Quote from: "gaugau"
What do you want the behaviour to be?

Most preferably would be behaviour like phpBB: option to set a Session Length (which I understand is not (yet) supported by Coppermine) or even beter: when opening a new browserwindow an obligatory re-login (though I do not know how to realise that). Resulting in a cookie that is only valid for the window it has been made/started in?

Currently, I just found out, even after rebooting the system (W2K), logging in the same user and browsing around some, my login is still remembered. Because these systems are used by several people with the same user-account, this is not quite the way I like it.

phpBB is running on the same server, no integrating of both however
Logged

hyperion

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 1317
  • - retired -
Session Time-out (user)
« Reply #3 on: January 13, 2004, 06:42:30 pm »

For a a temporay fix, simply delete the browser's cookies when you are done working with your gallery.
Logged
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(http://www.mozilla.org/products/firefox/buttons/getfirefox_small.png)

dnulke

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Yes please!
« Reply #4 on: January 13, 2004, 10:11:38 pm »

I would also like a timeout function. Either as long as the browser is running or even better, a 20 minute inactivity timeout. I donk know if this is even possible with the cookieapproach.
Logged

Cees

  • Coppermine newbie
  • Offline Offline
  • Posts: 3
Session Time-out (user)
« Reply #5 on: January 14, 2004, 01:12:52 pm »

Quote from: "hyperion"
simply delete the browser's cookies when you are done working with your gallery

That's an option, I see. But i think it's easier to remember myself somehow to log out when finished. Logging out is not the problem, only when forgetting so, others are able to edit the album in this particular situation on a public computer.
Therefore I think it's in terms of security good to fix, or create on option to fix, this situation.

Could someone pass this through for a Feature request?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Session Time-out (user)
« Reply #6 on: January 14, 2004, 10:14:40 pm »

moved thread to "feature requests" as per request.

GauGau
Logged

pogo

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Session Time-out (user)
« Reply #7 on: March 22, 2004, 05:51:04 pm »

I agree with Cees, security is a big concern here as far as admin or public users forgetting to logout in public cafes. In result, this security hole can be valuable to intruders possibly thrashing out your entire gallery and delete users as long as cookies are not deleted from that particular computer. Implementing a timeout session length would definitely help in future release of CPG. Thanks for everything that you guys have done to make this great online gallery possible!

pogo[/quote]
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Session Time-out (user)
« Reply #8 on: March 22, 2004, 06:23:15 pm »

I don't see it that dramatically: "regular" users shouldn't have more rights than to modify their user gallery, so the only thing someone could do on a public computer where a coppermine user has forgotten to log out is mess with the user's gallery. You (as gallery admin) should simply know what you're doing - if you must access the internet from another computer than your own, you'll definitely have to make sure nobody can user your "leftovers" on that computer to ruin you page.

Sessions may be a solution for some things, but it causes problems as well: if we don't come up with an option to switch sessions off, then it shouldn't go into mainstream coppermine code imo.

GauGau
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 20 queries.