external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: use max-age for all cookie expirations

Browse source 
in addition, remove cookie expiration for AURREMEMBER --
we don't really care about a session time for this cookie, it merely
acts as a flag given out on login to remember what the user selected

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2022-08-17 10:01:06 -07:00
parent 8e43932aa6
commit fd4aaed208
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
1 changed files with 2 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
aurweb/routers/auth.py
View file

@ -6,7 +6,7 @@ from sqlalchemy import or_
import aurweb.config
from aurweb import cookies, db, time
from aurweb import cookies, db
from aurweb.auth import requires_auth, requires_guest
from aurweb.exceptions import handle_form_exceptions
from aurweb.l10n import get_translator_for_request
@ -65,15 +65,11 @@ async def login_post(request: Request,
return await login_template(request, next,
errors=["Bad username or password."])
login_timeout = aurweb.config.getint("options", "login_timeout")
expires_at = int(time.utcnow() + max(cookie_timeout, login_timeout))
response = RedirectResponse(url=next,
status_code=HTTPStatus.SEE_OTHER)
secure = aurweb.config.getboolean("options", "disable_http_login")
response.set_cookie("AURSID", sid, expires=expires_at,
response.set_cookie("AURSID", sid, max_age=cookie_timeout,
secure=secure, httponly=secure,
samesite=cookies.samesite())
response.set_cookie("AURTZ", user.Timezone,
@ -83,7 +79,6 @@ async def login_post(request: Request,
secure=secure, httponly=secure,
samesite=cookies.samesite())
response.set_cookie("AURREMEMBER", remember_me,
expires=expires_at,
secure=secure, httponly=secure,
samesite=cookies.samesite())
return response