feat(auth): keep remember tokens on session timeout

- add timeout-specific logout path without remember-token revocation

- reset session timers after remember-me auto login

- compact session policy wording in admin settings (DE/EN)

- extend auth tests for timeout/manual logout behavior
This commit is contained in:
2026-03-09 20:47:21 +01:00
parent 792af5a532
commit af8ee10930
8 changed files with 106 additions and 11 deletions

View File

@@ -79,7 +79,7 @@ if (!empty($_SESSION['user']['id'])) {
$isAbsolute = ($now - $sessionStartedAt) > $absoluteTimeoutSeconds;
if ($isIdle || $isAbsolute) {
$authService->logout();
$authService->logoutDueToSessionTimeout();
Flash::error(t('Your session has expired. Please log in again.'), 'login', 'session_timeout');
Router::redirect('login');
}