[geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

Tom websitemaster at cogeco.net
Mon Apr 25 09:53:24 EDT 2011

>> So what's different here for Twitter (all OAuth?) users? Haven't really
digged into the code, I have to admit.

I am not sure either. I will have to dig around unless hiroron has an idea.

I just tested the Facebook login (I see Rouslan  on there with me).  Dirk,
in the config can you allow users to change their usernames?

I also get logged off after about 2 minutes using a Facebook account ... so
it seems to be an OAuth issue. The problem is, I can't reproduce this on my
own servers. 

Suprsidr did have a similar issue on his server which I could never
reproduce ... he seemed to be the only one having the problem until now with

I will look into the code again to see if I can discover why. 

-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: April-25-11 5:17 AM
To: Geeklog Development
Subject: [geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

> If you see anything else not working as expected, let me know please.

It seems users who logged in with Twitter are logged out after 2 minutes.

The reason for this is this piece of code in lib-common.php:

// Clear out any expired sessions
DB_query( "DELETE FROM {$_TABLES['sessions']} WHERE start_time < " . (
time() - $_CONF['whosonline_threshold'] ));

The threshold is set to 120 seconds on geeklog.net. After that time, the
session is deleted. For "normal" logged-in users, this doesn't matter since
then their session cookie kicks in, which has a timeout of 7200 seconds (or
2 hours).

So what's different here for Twitter (all OAuth?) users? Haven't really
digged into the code, I have to admit.

Actually, now that I think about it, deleting the session before the session
cookie expires doesn't make sense. Normal logged-in users also have the
long-term cookie, the time for which is set in My Account and defaults to 8
hours. So their session is removed after 2 minutes, the session cookie
doesn't help either, so we actually fall back to the long-term cookie.
Which, for some reason, doesn't seem to be there for OAuth (or at least
Twitter) users ...

Cue discussion about replacing our Byzantine session handling in 3, 2, 1,

bye, Dirk

geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

More information about the geeklog-devel mailing list