Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-7814

Valid cookie only for the session

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Minor Minor
    • 3.2.2-RC1
    • 3.0.2
    • Login
    • None
    • PHP Environment: 5.2.0-8+etch11
      Database: MySQL 5.0.32

      Log in with username and password without remember me.
      Close the browser.
      Open the browse -> still logged in.

      I think the right use-case should be not logged in, if I have logged in without remember me - cookie must be expire at end of the session. Otherwise this is kind of security problem.

      Session.php, row 698 fix with code:

      change

      $cookie_expire = $this->time_now+(($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);

      with

      if ($persist_login)
      		 
              $cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
      		 
            else
      		 
              $cookie_expire = null;

            CHItA CHItA
            gogoluxecs gogoluxecs
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: