I'm not sure if I should post this here, or to the dev list.
sfBasicSecurityUser will timeout a session after a certain amount of
time, and when it does that, it sets a variable such that
$user->isTimedout() returns true - this is great.
I am using this in my code as follows:
public function executeIndex()
{
if ('admin_login' !=
sfContext::getInstance()->getActionStack()->getFirstEntry()->getModuleName())
{
$timedout = $this->getUser()->isTimedOut() ? 1 : 0;
$url = $this->getRequest()->getUri();
$uri =
sfContext::getInstance()->getController()->genUrl('admin_login/index',
true) . '?url=' . urlencode($url) . '&timedout='.$timedout;
$this->redirect($uri);
}
if ($this->getRequestParameter('timedout') == 1)
$this->setFlash('timedout', true);
}
This little snippet of code will redirect an unauthentacted user to the
login form to a URL like:
http://site/admin_login?url=http%3A%2F%2F...&timedout=0
This allows the login form to redirect a user back to the page they were
trying to access in the first place before requiring auth, and allows
for a message to be displayed if the user has been timed out.
HOWEVER... the problem is, sfBasicSecurityUser will timeout even non
authenticated users, as seen here:
// Automatic logout if no request for more than [sf_timeout]
if (null !== $this->lastRequest && (time() - $this->lastRequest) >
sfConfig::get('sf_timeout'))
{
if (sfConfig::get('sf_logging_enabled'))
{
$this->getContext()->getLogger()->info('{sfUser} automatic user
logout');
}
$this->setTimedOut();
$this->setAuthenticated(false);
}
This means that my login form will show a timeout issue to even
non-authenticated users, and as far as I can see, there's no means to
detect if it was an anon/timeout or a user/timeout.
More to the point, should we be logging out un-athenticated uses in the
first place? As youcan see, the only thing that happens if a timeout is
detecteed is that a user is logged out - if they aren't logged in in the
first place, is this useful?
I would suggest putting this timeout detection within a check to see if
the user is authenticated (this already happens in this function
anyway, so no additional logic/overhead is invoked doing this).
Thoughts?
--
Ian P. Christian ~ pookey.co.uk
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
