[geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

Tom websitemaster at cogeco.net
Mon Apr 25 10:58:04 EDT 2011


I did a quick look through of the code again and didn't see a reason for
getting logged off after 2 minutes of inactivity. Once you log in via OAuth
is should be just the normal Geeklog session handling after that. So either
the cookie is not set properly or it is not being read. 

Dirk, can you turn on logging and then login with twitter to see what the
error log reports?

Tom



-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Tom
Sent: April-25-11 9:53 AM
To: 'Geeklog Development'
Subject: Re: [geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

>> So what's different here for Twitter (all OAuth?) users? Haven't 
>> really
digged into the code, I have to admit.

I am not sure either. I will have to dig around unless hiroron has an idea.

I just tested the Facebook login (I see Rouslan  on there with me).  Dirk,
in the config can you allow users to change their usernames?

I also get logged off after about 2 minutes using a Facebook account ... so
it seems to be an OAuth issue. The problem is, I can't reproduce this on my
own servers. 

Suprsidr did have a similar issue on his server which I could never
reproduce ... he seemed to be the only one having the problem until now with
Geeklog.net.

I will look into the code again to see if I can discover why. 

Tom
 
-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: April-25-11 5:17 AM
To: Geeklog Development
Subject: [geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

> If you see anything else not working as expected, let me know please.

It seems users who logged in with Twitter are logged out after 2 minutes.

The reason for this is this piece of code in lib-common.php:

// Clear out any expired sessions
DB_query( "DELETE FROM {$_TABLES['sessions']} WHERE start_time < " . (
time() - $_CONF['whosonline_threshold'] ));

The threshold is set to 120 seconds on geeklog.net. After that time, the
session is deleted. For "normal" logged-in users, this doesn't matter since
then their session cookie kicks in, which has a timeout of 7200 seconds (or
2 hours).

So what's different here for Twitter (all OAuth?) users? Haven't really
digged into the code, I have to admit.


Actually, now that I think about it, deleting the session before the session
cookie expires doesn't make sense. Normal logged-in users also have the
long-term cookie, the time for which is set in My Account and defaults to 8
hours. So their session is removed after 2 minutes, the session cookie
doesn't help either, so we actually fall back to the long-term cookie.
Which, for some reason, doesn't seem to be there for OAuth (or at least
Twitter) users ...

Cue discussion about replacing our Byzantine session handling in 3, 2, 1,
....

bye, Dirk

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel




More information about the geeklog-devel mailing list