external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove the per-user session limit

Browse source 
This feature was originally introduced by
f961ffd9c7 as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.

As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.

The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Frédéric Mangano-Tarumi 2020-07-29 13:46:10 +02:00 committed by Lukas Fleischer
parent be31675b65
commit 87815d37c0
3 changed files with 1 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aurweb/routers/sso.py
View file

@ -56,7 +56,7 @@ def open_session(request, conn, user_id):
raise HTTPException(status_code=403, detail=_('Account suspended'))
# TODO This is a terrible message because it could imply the attempt at
# logging in just caused the suspension.
# TODO apply [options] max_sessions_per_user
sid = uuid.uuid4().hex
conn.execute(Sessions.insert().values(
UsersID=user_id,

1
conf/config.defaults
View file

@ -13,7 +13,6 @@ passwd_min_len = 8
default_lang = en
default_timezone = UTC
sql_debug = 0
max_sessions_per_user = 8
login_timeout = 7200
persistent_cookie_timeout = 2592000
max_filesize_uncompressed = 8388608

15
web/lib/acctfuncs.inc.php
View file

@ -596,21 +596,6 @@ function try_login() {
/* Generate a session ID and store it. */
while (!$logged_in && $num_tries < 5) {
$session_limit = config_get_int('options', 'max_sessions_per_user');
if ($session_limit) {
/*
* Delete all user sessions except the
* last ($session_limit - 1).
*/
$q = "DELETE FROM Sessions ";
$q.= "WHERE UsersId = " . $userID . " ";
$q.= "AND SessionID NOT IN (SELECT SessionID FROM Sessions ";
$q.= "WHERE UsersID = " . $userID . " ";
$q.= "ORDER BY LastUpdateTS DESC ";
$q.= "LIMIT " . ($session_limit - 1) . ")";
$dbh->query($q);
}
$new_sid = new_sid();
$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
." VALUES (" . $userID . ", '" . $new_sid . "', " . strval(time()) . ")";