- Merge request !24Issue #3308456: Autologout cookie is not secure → (Open) created by Dylan Donkersgoed
- 🇳🇱Netherlands johan_vm Tilburg
Patch #11 works fine, but REQUEST_TIME is deprecated, so I added a small fix for that.
The last submitted patch, 12: 3308456-12.patch, failed testing. View results →
- last update
10 months ago 15 pass, 7 fail - First commit to issue fork.
- Status changed to Needs review
9 months ago 9:46am 25 September 2023 - 🇸🇮Slovenia DeaOm
I added the post update hook for the new settings, so existing users have values set and they only need to export the configuration (to have it set "default"). And also applied the changes from patch in comment #12 ✨ Autologout cookie is not secure Needs review
The testing is now done via GitLab CI and test are passing, so setting the status to needs review and "hidding" the patch files, as the issue fork exists and all changes should be done there. - Status changed to Needs work
9 months ago 11:26am 25 September 2023 When the user logs in the cookie correctly sets values of the cookie. The problem comes when JS sets a new cookie
cookies.set("Drupal.visitor.autologout_login", Math.round((new Date()).getTime() / 1000));this resets all values toNone.Looking into fixing it.
- Status changed to Needs review
9 months ago 12:13pm 25 September 2023 - Status changed to RTBC
9 months ago 6:30am 26 September 2023 - 🇸🇮Slovenia DeaOm
Good catch for the JS configuration. Just removed the casting from int as it's not necessary and updated post update hook to use correct variable for lifetime. The code works, it sets the cookie base on the settings defined in the configuration, so marking this as RTBC.
- 🇺🇸United States jonraedeke
This is working really, except that the settings form always reverts back to the default value for cookie lifetime. To replicate, change the value to `0` and save. The form will show `31536000`.
- Status changed to Needs work
7 months ago 5:50pm 6 December 2023 - 🇺🇸United States jonraedeke
There appears to be something wrong with the logic. After the initial timeout, the user is presented with a dialog on every page request. I have it set to "Logout user regardless of activity".
- Status changed to Needs review
6 months ago 10:58am 15 December 2023 - 🇺🇸United States jonraedeke
I figured out why the timer never gets reset after the initial one times out when the module is configured to "Logout user regardless of activity". The cookie with HttpOnly configured to true cannot be accessed by js, so
var login_time = cookies.get("Drupal.visitor.autologout_login"); is undefined.So the HttpOnly setting is currently incompatible with the "Logout user regardless of activity" setting.
I think we can remove the HttpOnly from this patch and keep the rest.
Do let us know your opinion @jonraedeke