libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-19 06:03:34 +01:00
Code Issues Projects Releases Wiki Activity

express-session: Set a finite cookie lifetime

Browse source
This commit is contained in:
Richard Hansen 2021-12-22 23:42:19 -05:00
parent ec10700dff
commit 023e58cfe6
4 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -6,6 +6,7 @@
* `express_sid` cookies and `sessionstorage:*` database records are no longer
created unless `requireAuthentication` is `true` (or a plugin causes them to
be created).
* Login sessions now have a finite lifetime by default (10 days).
* `sessionstorage:*` database records are automatically deleted when the login
session expires (with some exceptions that will be fixed in the future).
* Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
@ -45,6 +46,9 @@
### Compatibility changes
* The default login session expiration (applicable if `requireAuthentication` is
`true`) changed from never to 10 days.
#### For plugin authors
* The `client` context property for the `handleMessageSecurity` and

22
settings.json.template
View file

@ -375,7 +375,27 @@
* significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion.
*/
"sameSite": "Lax"
"sameSite": "Lax",
/*
* How long (in milliseconds) a session lasts before the user is required to
* log in again. (The express_sid cookie is set to expire at time now +
* sessionLifetime when first created.) If requireAuthentication is false
* then this value does not really matter.
*
* The "best" value depends on your users' usage patterns and the amount of
* convenience you desire. A long lifetime is more convenient (users won't
* have to log back in as often) but has some drawbacks:
* - It increases the amount of state kept in the database.
* - It might weaken security somewhat: Once a user has accessed a pad,
* the user can continue to use the pad until the session expires.
*
* Session lifetime can be set to infinity (not recommended) by setting this
* to null or 0. Note that if the session does not expire, most browsers
* will delete the cookie when the browser exits, but a session record is
* kept in the database forever.
*/
"sessionLifetime": 864000000 // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
},
/*

1
src/node/hooks/express.js
View file

@ -186,6 +186,7 @@ exports.restartServer = async () => {
// cleaner :)
name: 'express_sid',
cookie: {
maxAge: settings.cookie.sessionLifetime || null, // Convert 0 to null.
sameSite: settings.cookie.sameSite,
// The automatic express-session mechanism for determining if the application is being served

1
src/node/utils/Settings.js
View file

@ -322,6 +322,7 @@ exports.cookie = {
* https://stackoverflow.com/q/41841880 for discussion.
*/
sameSite: 'Lax',
sessionLifetime: 10 * 24 * 60 * 60 * 1000,
};
/*