[geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

Tom websitemaster at cogeco.net
Tue Apr 26 11:35:09 EDT 2011

Okay, I found the problem with the OAuth account being logged out after 2
minutes of inactivity. This affects our OpenID implementation as well I
believe (I haven't tested it yet, I need to get an OpenID 1.0 account).

The problem lies with the password cookie.  We do not create and store
passwords for OAuth accounts because there was no need due to the
authentication happening with the OAuth provider. The problem is that the
session handler was not updated to take this into account.

I have an update to fix the issue. Basically when an OAuth account is
created, a password is now created as well. The only purpose of this
password is to validate the session cookie information. I also updated the
SESS_getUserDataFromId function and allowed it to returned the hash password
as well so that when the user gets logged in the cookie will be set with a
valid password.

I have updated the OpenID implementation as well and when an account is
created with USER_createAccount I now supply a password to use with the
account. As I mentioned before this OpenId fix is not tested but only 2
lines where changed.


-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: April-25-11 11:59 AM
To: Geeklog Development
Subject: Re: [geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)

Tom wrote:

> I doubt if I can spend much more time on this today. I hope to figure 
> out the problem tomorrow.

No problem. Good to hear you have a handle on it.

I'll go ahead and publish b2 later today and we can then roll the fix into

bye, Dirk

geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

More information about the geeklog-devel mailing list