feat(security): add session timeout + transaction wrapping (B1)
Session timeout: configurable idle (default 30min) and absolute (default 8h) timeouts via DB settings, enforced in web/index.php on every request. Timestamps set at login in action layer; graceful fallback for pre-existing sessions. Transaction wrapping: UserAccountService.createFromAdmin/register, roles create/edit, and permissions edit now wrap multi-step DB operations in transactions to guarantee atomicity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -55,6 +55,38 @@ if (empty($_SESSION['user']['id'])) {
|
||||
$rememberMeService->autoLoginFromCookie();
|
||||
}
|
||||
|
||||
// Session timeout enforcement (idle + absolute)
|
||||
if (!empty($_SESSION['user']['id'])) {
|
||||
$now = time();
|
||||
$sessionStartedAt = (int) ($_SESSION['session_started_at'] ?? 0);
|
||||
$sessionLastActivity = (int) ($_SESSION['session_last_activity'] ?? 0);
|
||||
|
||||
// Gracefully handle pre-existing sessions that lack timestamps.
|
||||
if ($sessionStartedAt === 0) {
|
||||
$_SESSION['session_started_at'] = $now;
|
||||
$sessionStartedAt = $now;
|
||||
}
|
||||
if ($sessionLastActivity === 0) {
|
||||
$_SESSION['session_last_activity'] = $now;
|
||||
$sessionLastActivity = $now;
|
||||
}
|
||||
|
||||
$sessionGateway = app(\MintyPHP\Service\Settings\SettingsSessionGateway::class);
|
||||
$idleTimeoutSeconds = $sessionGateway->getSessionIdleTimeoutSeconds();
|
||||
$absoluteTimeoutSeconds = $sessionGateway->getSessionAbsoluteTimeoutSeconds();
|
||||
|
||||
$isIdle = ($now - $sessionLastActivity) > $idleTimeoutSeconds;
|
||||
$isAbsolute = ($now - $sessionStartedAt) > $absoluteTimeoutSeconds;
|
||||
|
||||
if ($isIdle || $isAbsolute) {
|
||||
$authService->logout();
|
||||
Flash::error(t('Your session has expired. Please log in again.'), 'login', 'session_timeout');
|
||||
Router::redirect('login');
|
||||
}
|
||||
|
||||
$_SESSION['session_last_activity'] = $now;
|
||||
}
|
||||
|
||||
// Parse request URI and resolve locale
|
||||
$originalUri = $_SERVER['REQUEST_URI'] ?? '';
|
||||
$_SERVER['MINTY_ORIGINAL_URI'] = $originalUri;
|
||||
|
||||
Reference in New Issue
Block a user