ZenphotoCMS Forum
How to handle auto-logout ? - Printable Version

+- ZenphotoCMS Forum (https://forum.zenphoto.org)
+-- Forum: Support (https://forum.zenphoto.org/forum-1.html)
+--- Forum: General support (https://forum.zenphoto.org/forum-4.html)
+--- Thread: How to handle auto-logout ? (/thread-10346.html)

Pages: 1 2


How to handle auto-logout ? - divinorum - 2012-08-30

Hello guys,

I'm doing some coding to my template and I'm almost finished, however I'm quite surprised, that ZP hasn't user auto logout feature :/

Please:

  1. is there any possibility to simply enable it and set time period ?
  2. If not, is there any doc how login / auth is working, please ?

This is the last piece before I'll go live, som many thanks in advance for any help :-)

Ivan




How to handle auto-logout ? - sbillard - 2012-08-30

Well, actually remembered logins are done with cookies and they do have expiry times, so I guess we do have auto-logout. In addition, there is an option for setting this duration, so I guess you can do what you want.




How to handle auto-logout ? - divinorum - 2012-08-30

Thanks Sbillard, however I dont think this is set by default.. It seems to be set more like to never expire.

I'll try to search for correct setting tomorrow, good night :-)

PS: I'm searching for session expiration, not cookie expiration.

Ivan




How to handle auto-logout ? - sbillard - 2012-08-30

The cookie is set to expire based on the option. But of course, cookie management is up to the browser, not Zenphoto.

Sessions also expire based on server/PHP configurations. Zenphoto has no control of them. Normally they will expire when the browser exits.

Have you chosen the "gallery sessions" option? If not sessions are not in play.




How to handle auto-logout ? - divinorum - 2012-08-31

not yet, but I'll look for that option.




How to handle auto-logout ? - divinorum - 2012-08-31

Many thanks for pointing this out ! I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation so, no need to code anymore, cool

Finally, so the user loggout after being idle is controlled only by Apache settings / by .htaccess ?

Hope this is my last question here..

Ivan




How to handle auto-logout ? - divinorum - 2012-08-31

session.gc_maxlifetime seems to not have any impact on this




How to handle auto-logout ? - acrylian - 2012-08-31

Quote:I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation

Could you elaborate this? In which language/translation the meaning got lost? If we know this we can point our translators to this.




How to handle auto-logout ? - divinorum - 2012-08-31

sure, just tell me how




How to handle auto-logout ? - acrylian - 2012-08-31

Well, tell us and we tell them...:-)




How to handle auto-logout ? - sbillard - 2012-08-31

Probably the "meaning" would be lost even in English. The option does not really address "auto-logout" since sesssions really have nothing to do with that. One would have to know what browser sessions are to make the connection.

As to how you control the timeout. As I mentioned before this is a browser/server determined thing. One of the reasons it is not so popular. I do not think that sessions time out typically from beign idle--they normally stay active so long as the browser has not closed.




How to handle auto-logout ? - divinorum - 2012-09-02

Acrylian, I think we could use in Slovak translation word "sedenie" for current session, istead of "relácia". It's more exact, but thats just my opinion..




How to handle auto-logout ? - divinorum - 2012-09-02

Sbillard, I'm normally using mechanism in my code to ensure, that user will not stay too long logged in if it's idle (eg in netcaffee, etc..)

To achive that, I'm using either:

  1. timestamp written as session variable, refreshed on any user action

OR

  1. even more simple, storring session data in the DB instead of flatfile and checking that timestamp on each verification.

Once timestamp is too old in both cases, login is not valid anymore and user has to log in again.

My question here was if there is such mechanish already implemented in ZenPhoto or if I have to code it..

Ivan




How to handle auto-logout ? - acrylian - 2012-09-02

Ok, will write a mail to our translator mailing list.




How to handle auto-logout ? - sbillard - 2012-09-02

Such code can be made for Zenphoto if the cookie timeout is not to your liking. (Not sure why that would be, though.) Still, it seems to me that it is pretty unfriendly to log someone out while he is using the site so if you wanted to expire a user it should probably be done when he is not on the site which in turn means some kind of backgroud process.




How to handle auto-logout ? - divinorum - 2012-09-04

well, finally, I spent several hours to discover actuall security of the gallery and I have decided to rewrite this part from the scratch.

I have already added some script to handle access to pictures, as there is possibility to access pictures by direct URL even if the user is not logged in. That's done. Now I'm working on real auth by sessions, not cookies

Guys, good work with this gallery for public use, but really weak for personal use

Not blaming you, just provideing info to another users.

Ivan




How to handle auto-logout ? - acrylian - 2012-09-05

Well, probably because Zenphoto is primarily meant to run public websites.

Quote: as there is possibility to access pictures by direct URL
If you mean you can access unpublished items via url directly, yes, that is not a bug but a feature. You need to password protect them if you don't wish that.
OF course you can link to the albums folder and its images direclty as well if you know it. But since the filesystem is out of Zenphoto's control you would need to use htaccess to avoid that. We have a troubleshooting entry about that if I recall right.




How to handle auto-logout ? - divinorum - 2012-09-06

Right, but banning access by .htaccess is also breaking up links within the gallery & admin,so I put there small wrapper to forward picture data only if user is logged in.

But you are right. If gallery should be for public use, then I just had different expectations

Ivan




How to handle auto-logout ? - acrylian - 2012-09-06

Well, websites generally are meant to be seen..;-) If you really want the whole gallery to be protected a htaccess directory password protection is the only really secure way.




How to handle auto-logout ? - sbillard - 2012-09-06

There is no issue with making a Zenphoto gallery private, you just have to understand how WEB browsers work and take appropriate actions. For instance, move the album repository off the WEB path or protect it with .htaccess.

But if you do this, you have to be sure that your theme does not attempt to directly access the album folder because that will not work for anyone (as you observed) if it is protected as above.

All this is provided for by Zenphoto but not configured out ot the box because it usually is not needed.