Allow autoLogin and security
Posted 28 March 2009 - 02:07 AM
1) Allow users to log in automatically
2) Restrict users to send not more, than 10 "tell a friend" messages.
I was using setState()/getState() for that. But that is insecure, one can substitute tafNum variable in cookie and spam. What can be done here? Where is it better so store such variables?
Additional question - how to control the session length? Is it possible to control max length and max inactivity length?
Posted 12 June 2009 - 03:13 AM
Didn't want to start a new post on that, and saw the last comment here about the CHttpSession's timeout property, which is what i need.
I'm trying to change session timeout from default (1440) to let's say 86400.
The server runs on linux and hosts multiple sites so i need to change also session savepath to 'my path' to disallow default shorter gc from removing my session.
The only way i've managed to do that is by setting
php_admin_value session.gc_maxlifetime 86400
php_admin_value session.save_path /tmp/mysite
When I tried to change CHttpSession object properties it didn't give any results, the session object was changed only within the current request, and after redirect the session properties were still default (1440, /tmp).
Does someone know what did i forget or did wrong ?
ps. code i used was in the LoginForm authenticate handler function:
Posted 23 April 2012 - 02:22 PM