FEATURE: add setting permanent_session_cookie to configure session stickiness

Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
This commit is contained in:
Rafael dos Santos Silva 2016-05-17 01:12:09 -03:00
parent dd0260e435
commit 09ef5f613e
3 changed files with 7 additions and 1 deletions

View File

@ -890,6 +890,7 @@ en:
post_undo_action_window_mins: "Number of minutes users are allowed to undo recent actions on a post (like, flag, etc)."
must_approve_users: "Staff must approve all new user accounts before they are allowed to access the site. WARNING: enabling this for a live site will revoke access for existing non-staff users!"
pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
permanent_session_cookie: "Use a permanent cookie that persists after closing the browser. When disabling this, you may want to log out everyone programmatically."
ga_tracking_code: "Google analytics (ga.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
ga_domain_name: "Google analytics (ga.js) domain name, eg: mysite.com; see http://google.com/analytics"
ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"

View File

@ -289,6 +289,7 @@ login:
pending_users_reminder_delay:
min: -1
default: 8
permanent_session_cookie: true
users:
min_username_length:

View File

@ -66,7 +66,11 @@ class Auth::DefaultCurrentUserProvider
user.auth_token = SecureRandom.hex(16)
user.save!
end
cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
if SiteSetting.permanent_session_cookie
cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
else
cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
end
make_developer_admin(user)
enable_bootstrap_mode(user)
@env[CURRENT_USER_KEY] = user