libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-31 19:02:59 +01:00
Code Issues Projects Releases Wiki Activity

express-session: Set a finite cookie lifetime

Browse source
This commit is contained in:
Richard Hansen 2021-12-22 23:42:19 -05:00
parent ec10700dff
commit 023e58cfe6
4 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -6,6 +6,7 @@
* `express_sid` cookies and `sessionstorage:*` database records are no longer * `express_sid` cookies and `sessionstorage:*` database records are no longer
created unless `requireAuthentication` is `true` (or a plugin causes them to created unless `requireAuthentication` is `true` (or a plugin causes them to
be created). be created).
* Login sessions now have a finite lifetime by default (10 days).
* `sessionstorage:*` database records are automatically deleted when the login * `sessionstorage:*` database records are automatically deleted when the login
session expires (with some exceptions that will be fixed in the future). session expires (with some exceptions that will be fixed in the future).
* Requests for static content (e.g., `/robots.txt`) and special pages (e.g., * Requests for static content (e.g., `/robots.txt`) and special pages (e.g.,
@ -45,6 +46,9 @@
### Compatibility changes ### Compatibility changes
* The default login session expiration (applicable if `requireAuthentication` is
`true`) changed from never to 10 days.
#### For plugin authors #### For plugin authors
* The `client` context property for the `handleMessageSecurity` and * The `client` context property for the `handleMessageSecurity` and

22
settings.json.template
View file

@ -375,7 +375,27 @@
* significant usability drawbacks vs. "Lax". See * significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion. * https://stackoverflow.com/q/41841880 for discussion.
*/ */
"sameSite": "Lax" "sameSite": "Lax",
/*
* How long (in milliseconds) a session lasts before the user is required to
* log in again. (The express_sid cookie is set to expire at time now +
* sessionLifetime when first created.) If requireAuthentication is false
* then this value does not really matter.
*
* The "best" value depends on your users' usage patterns and the amount of
* convenience you desire. A long lifetime is more convenient (users won't
* have to log back in as often) but has some drawbacks:
* - It increases the amount of state kept in the database.
* - It might weaken security somewhat: Once a user has accessed a pad,
* the user can continue to use the pad until the session expires.
*
* Session lifetime can be set to infinity (not recommended) by setting this
* to null or 0. Note that if the session does not expire, most browsers
* will delete the cookie when the browser exits, but a session record is
* kept in the database forever.
*/
"sessionLifetime": 864000000 // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
}, },
/* /*

1
src/node/hooks/express.js
View file

@ -186,6 +186,7 @@ exports.restartServer = async () => {
// cleaner :) // cleaner :)
name: 'express_sid', name: 'express_sid',
cookie: { cookie: {
maxAge: settings.cookie.sessionLifetime || null, // Convert 0 to null.
sameSite: settings.cookie.sameSite, sameSite: settings.cookie.sameSite,
// The automatic express-session mechanism for determining if the application is being served // The automatic express-session mechanism for determining if the application is being served

1
src/node/utils/Settings.js
View file

@ -322,6 +322,7 @@ exports.cookie = {
* https://stackoverflow.com/q/41841880 for discussion. * https://stackoverflow.com/q/41841880 for discussion.
*/ */
sameSite: 'Lax', sameSite: 'Lax',
sessionLifetime: 10 * 24 * 60 * 60 * 1000,
}; };
/* /*