![]() |
|
How to handle auto-logout ? - Printable Version +- ZenphotoCMS Forum (https://forum.zenphoto.org) +-- Forum: Support (https://forum.zenphoto.org/forum-1.html) +--- Forum: General support (https://forum.zenphoto.org/forum-4.html) +--- Thread: How to handle auto-logout ? (/thread-10346.html) Pages:
1
2
|
How to handle auto-logout ? - divinorum - 2012-08-30 Hello guys, I'm doing some coding to my template and I'm almost finished, however I'm quite surprised, that ZP hasn't user auto logout feature :/ Please:
This is the last piece before I'll go live, som many thanks in advance for any help :-) Ivan How to handle auto-logout ? - sbillard - 2012-08-30 Well, actually remembered logins are done with cookies and they do have expiry times, so I guess we do have auto-logout. In addition, there is an option for setting this duration, so I guess you can do what you want. How to handle auto-logout ? - divinorum - 2012-08-30 Thanks Sbillard, however I dont think this is set by default.. It seems to be set more like to never expire. I'll try to search for correct setting tomorrow, good night :-) PS: I'm searching for session expiration, not cookie expiration. Ivan How to handle auto-logout ? - sbillard - 2012-08-30 The cookie is set to expire based on the option. But of course, cookie management is up to the browser, not Zenphoto. Sessions also expire based on server/PHP configurations. Zenphoto has no control of them. Normally they will expire when the browser exits. Have you chosen the "gallery sessions" option? If not sessions are not in play. How to handle auto-logout ? - divinorum - 2012-08-31 not yet, but I'll look for that option. How to handle auto-logout ? - divinorum - 2012-08-31 Many thanks for pointing this out ! I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation so, no need to code anymore, cool Finally, so the user loggout after being idle is controlled only by Apache settings / by .htaccess ? Hope this is my last question here.. Ivan How to handle auto-logout ? - divinorum - 2012-08-31 session.gc_maxlifetime seems to not have any impact on this How to handle auto-logout ? - acrylian - 2012-08-31 Quote:I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation How to handle auto-logout ? - divinorum - 2012-08-31 sure, just tell me how How to handle auto-logout ? - acrylian - 2012-08-31 Well, tell us and we tell them...:-) How to handle auto-logout ? - sbillard - 2012-08-31 Probably the "meaning" would be lost even in English. The option does not really address "auto-logout" since sesssions really have nothing to do with that. One would have to know what browser sessions are to make the connection. As to how you control the timeout. As I mentioned before this is a browser/server determined thing. One of the reasons it is not so popular. I do not think that sessions time out typically from beign idle--they normally stay active so long as the browser has not closed. How to handle auto-logout ? - divinorum - 2012-09-02 Acrylian, I think we could use in Slovak translation word "sedenie" for current session, istead of "relácia". It's more exact, but thats just my opinion.. How to handle auto-logout ? - divinorum - 2012-09-02 Sbillard, I'm normally using mechanism in my code to ensure, that user will not stay too long logged in if it's idle (eg in netcaffee, etc..) To achive that, I'm using either:
OR
Once timestamp is too old in both cases, login is not valid anymore and user has to log in again. My question here was if there is such mechanish already implemented in ZenPhoto or if I have to code it.. Ivan How to handle auto-logout ? - acrylian - 2012-09-02 Ok, will write a mail to our translator mailing list. How to handle auto-logout ? - sbillard - 2012-09-02 Such code can be made for Zenphoto if the cookie timeout is not to your liking. (Not sure why that would be, though.) Still, it seems to me that it is pretty unfriendly to log someone out while he is using the site so if you wanted to expire a user it should probably be done when he is not on the site which in turn means some kind of backgroud process. How to handle auto-logout ? - divinorum - 2012-09-04 well, finally, I spent several hours to discover actuall security of the gallery and I have decided to rewrite this part from the scratch. I have already added some script to handle access to pictures, as there is possibility to access pictures by direct URL even if the user is not logged in. That's done. Now I'm working on real auth by sessions, not cookies Guys, good work with this gallery for public use, but really weak for personal use Not blaming you, just provideing info to another users. Ivan How to handle auto-logout ? - acrylian - 2012-09-05 Well, probably because Zenphoto is primarily meant to run public websites. Quote: as there is possibility to access pictures by direct URL How to handle auto-logout ? - divinorum - 2012-09-06 Right, but banning access by .htaccess is also breaking up links within the gallery & admin,so I put there small wrapper to forward picture data only if user is logged in. But you are right. If gallery should be for public use, then I just had different expectations Ivan How to handle auto-logout ? - acrylian - 2012-09-06 Well, websites generally are meant to be seen..;-) If you really want the whole gallery to be protected a htaccess directory password protection is the only really secure way. How to handle auto-logout ? - sbillard - 2012-09-06 There is no issue with making a Zenphoto gallery private, you just have to understand how WEB browsers work and take appropriate actions. For instance, move the album repository off the WEB path or protect it with .htaccess. But if you do this, you have to be sure that your theme does not attempt to directly access the album folder because that will not work for anyone (as you observed) if it is protected as above. All this is provided for by Zenphoto but not configured out ot the box because it usually is not needed. |