How to handle auto-logout ?

divinorum

Hello guys,

I'm doing some coding to my template and I'm almost finished, however I'm quite surprised, that ZP hasn't user auto logout feature

Please:

1. is there any possibility to simply enable it and set time period ?
2. If not, is there any doc how login / auth is working, please ?

This is the last piece before I'll go live, som many thanks in advance for any help :-)

Ivan

sbillard

Well, actually remembered logins are done with cookies and they do have expiry times, so I guess we do have auto-logout. In addition, there is an option for setting this duration, so I guess you can do what you want.

divinorum

Thanks Sbillard, however I dont think this is set by default.. It seems to be set more like to never expire.

I'll try to search for correct setting tomorrow, good night :-)

PS: I'm searching for session expiration, not cookie expiration.

Ivan

sbillard

The cookie is set to expire based on the option. But of course, cookie management is up to the browser, not Zenphoto.

Sessions also expire based on server/PHP configurations. Zenphoto has no control of them. Normally they will expire when the browser exits.

Have you chosen the "gallery sessions" option? If not sessions are not in play.

divinorum

not yet, but I'll look for that option.

divinorum

Many thanks for pointing this out ! I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation so, no need to code anymore, cool

Finally, so the user loggout after being idle is controlled only by Apache settings / by .htaccess ?

Hope this is my last question here..

Ivan

divinorum

session.gc_maxlifetime seems to not have any impact on this

acrylian

I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation

Could you elaborate this? In which language/translation the meaning got lost? If we know this we can point our translators to this.

divinorum

sure, just tell me how

acrylian

Well, tell us and we tell them...:-)

sbillard

Probably the "meaning" would be lost even in English. The option does not really address "auto-logout" since sesssions really have nothing to do with that. One would have to know what browser sessions are to make the connection.

As to how you control the timeout. As I mentioned before this is a browser/server determined thing. One of the reasons it is not so popular. I do not think that sessions time out typically from beign idle--they normally stay active so long as the browser has not closed.

divinorum

Acrylian, I think we could use in Slovak translation word "sedenie" for current session, istead of "relácia". It's more exact, but thats just my opinion..

divinorum

Sbillard, I'm normally using mechanism in my code to ensure, that user will not stay too long logged in if it's idle (eg in netcaffee, etc..)

To achive that, I'm using either:

1. timestamp written as session variable, refreshed on any user action

OR

2. even more simple, storring session data in the DB instead of flatfile and checking that timestamp on each verification.

Once timestamp is too old in both cases, login is not valid anymore and user has to log in again.

My question here was if there is such mechanish already implemented in ZenPhoto or if I have to code it..

Ivan

acrylian

Ok, will write a mail to our translator mailing list.

sbillard

Such code can be made for Zenphoto if the cookie timeout is not to your liking. (Not sure why that would be, though.) Still, it seems to me that it is pretty unfriendly to log someone out while he is using the site so if you wanted to expire a user it should probably be done when he is not on the site which in turn means some kind of backgroud process.

divinorum

well, finally, I spent several hours to discover actuall security of the gallery and I have decided to rewrite this part from the scratch.

I have already added some script to handle access to pictures, as there is possibility to access pictures by direct URL even if the user is not logged in. That's done. Now I'm working on real auth by sessions, not cookies

Guys, good work with this gallery for public use, but really weak for personal use

Not blaming you, just provideing info to another users.

Ivan

acrylian

Well, probably because Zenphoto is primarily meant to run public websites.

as there is possibility to access pictures by direct URL

If you mean you can access unpublished items via url directly, yes, that is not a bug but a feature. You need to password protect them if you don't wish that.
OF course you can link to the albums folder and its images direclty as well if you know it. But since the filesystem is out of Zenphoto's control you would need to use htaccess to avoid that. We have a troubleshooting entry about that if I recall right.

divinorum

Right, but banning access by .htaccess is also breaking up links within the gallery & admin,so I put there small wrapper to forward picture data only if user is logged in.

But you are right. If gallery should be for public use, then I just had different expectations

Ivan

acrylian

Well, websites generally are meant to be seen..;-) If you really want the whole gallery to be protected a htaccess directory password protection is the only really secure way.

sbillard

There is no issue with making a Zenphoto gallery private, you just have to understand how WEB browsers work and take appropriate actions. For instance, move the album repository off the WEB path or protect it with .htaccess.

But if you do this, you have to be sure that your theme does not attempt to directly access the album folder because that will not work for anyone (as you observed) if it is protected as above.

All this is provided for by Zenphoto but not configured out ot the box because it usually is not needed.