#24735 closed defect (bug) (fixed)
Login grace period
Reported by: | azaozz | Owned by: | azaozz |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | |
Focuses: | Cc: |
Description
After the cookies expire there is a "grace period" of one hour for POST and AJAX request. However this doesn't work when the user clicks "Remember Me" on the login screen. The cookies are set with the same expiration time as the $expiration component in them. When that time comes, the browser doesn't send the cookies and the $expired += HOUR_IN_SECONDS;
is pointless. This works when the Remember Me in not checked as the cookies are set for the session, i.e. last as long as the browser is open.
Attachments (1)
Change History (6)
#2
@
11 years ago
- Owner set to azaozz
- Resolution set to fixed
- Status changed from new to closed
In 25107:
#4
@
11 years ago
I think I weighed in on this in IRC: Can we just extend it by one hour, given that's the grace period? Why must it be 12 (or 24) hours?
#5
@
11 years ago
We can, but may miss some border cases where the user's computer clock is not set properly or the users hard-reset their computer clock when crossing timezones, etc. The 12 hours cover any differences between what the server thinks is the UTC time and what the user's computer thinks.
Best way to fix this would be to set the cookies expiration time longer than the $expiration component when "Remember Me" is checked. That will partially emulate the behavior when "Remember Me" is not checked, i.e. even if the cookies exceed our internal expiration time, the browsers will still send them.
By default that time is 14 days. Extending that by one day seems sufficient.