[geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

Dirk Haun dirk at haun-online.de
Mon Apr 25 05:16:37 EDT 2011

> If you see anything else not working as expected, let me know please.

It seems users who logged in with Twitter are logged out after 2 minutes.

The reason for this is this piece of code in lib-common.php:

// Clear out any expired sessions
DB_query( "DELETE FROM {$_TABLES['sessions']} WHERE start_time < " . ( time() - $_CONF['whosonline_threshold'] ));

The threshold is set to 120 seconds on geeklog.net. After that time, the session is deleted. For "normal" logged-in users, this doesn't matter since then their session cookie kicks in, which has a timeout of 7200 seconds (or 2 hours).

So what's different here for Twitter (all OAuth?) users? Haven't really digged into the code, I have to admit.

Actually, now that I think about it, deleting the session before the session cookie expires doesn't make sense. Normal logged-in users also have the long-term cookie, the time for which is set in My Account and defaults to 8 hours. So their session is removed after 2 minutes, the session cookie doesn't help either, so we actually fall back to the long-term cookie. Which, for some reason, doesn't seem to be there for OAuth (or at least Twitter) users ...

Cue discussion about replacing our Byzantine session handling in 3, 2, 1, ....

bye, Dirk

More information about the geeklog-devel mailing list