feat(security): add session timeout + transaction wrapping (B1)
Session timeout: configurable idle (default 30min) and absolute (default 8h) timeouts via DB settings, enforced in web/index.php on every request. Timestamps set at login in action layer; graceful fallback for pre-existing sessions. Transaction wrapping: UserAccountService.createFromAdmin/register, roles create/edit, and permissions edit now wrap multi-step DB operations in transactions to guarantee atomicity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -33,6 +33,8 @@ final class SettingKeys
|
||||
public const FRONTEND_TELEMETRY_ENABLED_KEY = 'frontend_telemetry_enabled';
|
||||
public const FRONTEND_TELEMETRY_SAMPLE_RATE_KEY = 'frontend_telemetry_sample_rate';
|
||||
public const FRONTEND_TELEMETRY_ALLOWED_EVENTS_KEY = 'frontend_telemetry_allowed_events';
|
||||
public const SESSION_IDLE_TIMEOUT_MINUTES_KEY = 'session_idle_timeout_minutes';
|
||||
public const SESSION_ABSOLUTE_TIMEOUT_HOURS_KEY = 'session_absolute_timeout_hours';
|
||||
|
||||
private function __construct()
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user