568976fbc7
moves the load account and session timeout plugin middleware
to set the expire_after before the session store is called,
and changes encrypted_cookie_store to use that option so it can
invalidate expired sessions when it unmarshals the data
for the first time.
The reason it seemed to work locally is because it sets
@options[:expire_after] after the first request.
Unfortunately this second time doesn't often happen
in the actual application when distributed amongst several
instances.
test plan:
* set the "Sessions" plugin settings to timeout after
1 minute using the following console commands;
ps = PluginSetting.
find_or_create_by_name_and_account_id("sessions",
Account.default)
ps.settings = {"session_timeout" => "1"}
ps.disabled = false
ps.save!
* (Note: normally this would be done
by going through the plugin settings ui, however, it enforces
a minimum of 20 minutes, which is difficult to test with)
* start the server and log-in
* shut down the server
* wait for 1 minute for the session to time out
* restart the server and try to click a link
* should be redirected to the log-in page
fixes #CNVS-7870
Change-Id: I843b73da7d3c001f7e632b1454c63f9d6c07f73d
Reviewed-on: https://gerrit.instructure.com/26911
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Product-Review: Bracken Mosbacker <bracken@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
|
||
|---|---|---|
| .. | ||
| load_account.rb | ||
| prevent_non_multipart_parse.rb | ||
| sessions_timeout.rb | ||
| stats_timing.rb | ||