- Merge request !24Issue #3308456: Autologout cookie is not secure → (Open) created by dylan donkersgoed
- 🇳🇱Netherlands johan_vm Tilburg
Patch #11 works fine, but REQUEST_TIME is deprecated, so I added a small fix for that.
The last submitted patch, 12: 3308456-12.patch, failed testing. View results →
- last update
over 1 year ago 15 pass, 7 fail - First commit to issue fork.
- Status changed to Needs review
over 1 year ago 9:46am 25 September 2023 - 🇸🇮Slovenia deaom
I added the post update hook for the new settings, so existing users have values set and they only need to export the configuration (to have it set "default"). And also applied the changes from patch in comment #12 ✨ Autologout cookie is not secure Needs review
The testing is now done via GitLab CI and test are passing, so setting the status to needs review and "hidding" the patch files, as the issue fork exists and all changes should be done there. - Status changed to Needs work
over 1 year ago 11:26am 25 September 2023 When the user logs in the cookie correctly sets values of the cookie. The problem comes when JS sets a new cookie
cookies.set("Drupal.visitor.autologout_login", Math.round((new Date()).getTime() / 1000));this resets all values toNone.Looking into fixing it.
- Status changed to Needs review
over 1 year ago 12:13pm 25 September 2023 - Status changed to RTBC
over 1 year ago 6:30am 26 September 2023 - 🇸🇮Slovenia deaom
Good catch for the JS configuration. Just removed the casting from int as it's not necessary and updated post update hook to use correct variable for lifetime. The code works, it sets the cookie base on the settings defined in the configuration, so marking this as RTBC.
- 🇺🇸United States jonraedeke
This is working really, except that the settings form always reverts back to the default value for cookie lifetime. To replicate, change the value to `0` and save. The form will show `31536000`.
- Status changed to Needs work
over 1 year ago 5:50pm 6 December 2023 - 🇺🇸United States jonraedeke
There appears to be something wrong with the logic. After the initial timeout, the user is presented with a dialog on every page request. I have it set to "Logout user regardless of activity".
- Status changed to Needs review
over 1 year ago 10:58am 15 December 2023 - 🇺🇸United States jonraedeke
I figured out why the timer never gets reset after the initial one times out when the module is configured to "Logout user regardless of activity". The cookie with HttpOnly configured to true cannot be accessed by js, so
var login_time = cookies.get("Drupal.visitor.autologout_login"); is undefined.So the HttpOnly setting is currently incompatible with the "Logout user regardless of activity" setting.
Hello @jonraedeke,
I can have a look into js undefined error.I think we can remove the HttpOnly from this patch and keep the rest.
Do let us know your opinion @jonraedeke- 🇮🇳India happy047
Recently, I have updated to the latest [1.5] release of this module and I have also faced the same issue of cookies being undefined error.
However, if you go to the autologout.libraries.yml file, you can see it is dependent on the libraries of [ https://www.drupal.org/project/js_cookie] → module.
You can install and enable the module and the cookie_undefined error will be resolved. - 🇧🇷Brazil fernandaporto
Hello, I've re-rolled the based on the latest merge request #23 ✨ Autologout cookie is not secure Needs review
- 🇫🇷France o'briat Nantes
So, what's left :
- Force HttpOnly to false and remove it from the admin form
- Update the MR with the minor fixes from 3308456-30.patch #30
- Change the MR target branch to 2.x (or create a new one if this fix should still apply to 1.x)
- First commit to issue fork.
- 🇬🇧United Kingdom the_g_bomb
I have:
- Updated the fork with the latest changes.
- Created a new branch from the new target 2.x branch
- Update the MR with the fixes from 3308456-30.patch #30
So, what's left :
Force HttpOnly to false and remove it from the admin form
- 🇺🇸United States mglaman WI, USA
Drupal Core added the
cookie_samesitetosession.storage.optionsservice parameter. This should be used over an override by autologout. Same with thecookie_lifetimevalue. - 🇺🇸United States japerry KVUO
Marking NW per comment #38. Because of the new service parameter, this module should just those values. Note, that option was added in Drupal 10.1.
It'd be preferable to not have additional config. To that end, samesite and lifetime settings do not need to be set. For Drupal 10+, use core's settings. For Drupal 10.0 and lower, just set a default 'Lax' and cookie lifetime to 1 month? 1 year seems long. This maintains compatibility with older versions of Drupal that likely wouldn't need anything but the defaults anyway.
Also, shouldn't the cookie secure setting default to TRUE? Sites should be on https and only need this override in cases like https->http load balancer setups. If you're running on http and forget to set it to FALSE, not quite sure what will happen there, but not sure we should care...
- 🇬🇧United Kingdom the_g_bomb
Using the new service parameter also change the patch to make the module only available to Drupal 10.1 and above.
We can backport a different solution for earlier versions if required.
For the backport I would think we should copy the current core setting which is 200000 and set 'Lax' by default.I have removed the additional config for samesite and lifetime settings, but grabbed those values from core and added them to the JS settings.
I left the cookie secure setting default to FALSE just in case sites don't have an SSL cert. I am also not sure what will happen if that is on without one, so thought it best to leave it as False as turning it on is easier than potentially debugging an error if it is on and causes problems.
- 🇬🇧United Kingdom the_g_bomb
If anyone needs a patch this can be used: https://git.drupalcode.org/project/autologout/-/merge_requests/71.diff
- 🇧🇷Brazil renatog Campinas
Aware about patch link on #41 however if MR is updated the patch is updates as well
So uploading the same patch in a file to avoid being updated. So it can be used on composer if needed
