I think you're right. You can make the change in symfony 1.0 and 1.1 Fabien
-- Fabien Potencier Sensio CEO - symfony lead developer http://www.sensiolabs.com/ http://www.symfony-project.com/ Sensio Labs Tél: +33 1 40 99 80 80 Ian P. Christian wrote: > I'm not sure if I should post this here, or to the dev list. > > sfBasicSecurityUser will timeout a session after a certain amount of > time, and when it does that, it sets a variable such that > $user->isTimedout() returns true - this is great. > > I am using this in my code as follows: > > public function executeIndex() > { > if ('admin_login' != > sfContext::getInstance()->getActionStack()->getFirstEntry()->getModuleName()) > { > $timedout = $this->getUser()->isTimedOut() ? 1 : 0; > $url = $this->getRequest()->getUri(); > $uri = > sfContext::getInstance()->getController()->genUrl('admin_login/index', > true) . '?url=' . urlencode($url) . '&timedout='.$timedout; > $this->redirect($uri); > } > > if ($this->getRequestParameter('timedout') == 1) > $this->setFlash('timedout', true); > } > > This little snippet of code will redirect an unauthentacted user to the > login form to a URL like: > > http://site/admin_login?url=http%3A%2F%2F...&timedout=0 > > This allows the login form to redirect a user back to the page they were > trying to access in the first place before requiring auth, and allows > for a message to be displayed if the user has been timed out. > > HOWEVER... the problem is, sfBasicSecurityUser will timeout even non > authenticated users, as seen here: > > // Automatic logout if no request for more than [sf_timeout] > if (null !== $this->lastRequest && (time() - $this->lastRequest) > > sfConfig::get('sf_timeout')) > { > if (sfConfig::get('sf_logging_enabled')) > { > $this->getContext()->getLogger()->info('{sfUser} automatic user > logout'); > } > $this->setTimedOut(); > $this->setAuthenticated(false); > } > > > This means that my login form will show a timeout issue to even > non-authenticated users, and as far as I can see, there's no means to > detect if it was an anon/timeout or a user/timeout. > > More to the point, should we be logging out un-athenticated uses in the > first place? As youcan see, the only thing that happens if a timeout is > detecteed is that a user is logged out - if they aren't logged in in the > first place, is this useful? > > I would suggest putting this timeout detection within a check to see if > the user is authenticated (this already happens in this function > anyway, so no additional logic/overhead is invoked doing this). > > Thoughts? > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
