Contao: Prevent users from entering large session lifetimes

Created on 28 Mar 2019  路  4Comments  路  Source: contao/contao

Affected version(s)
4.4.x, all (and probably all later versions including 4.7.)

Description
If an user enters a very long session lifetime in backend, he will furthermore not be able to log in again.
How to reproduce
Go to backend -> settings and enter a unusually large value f眉r session expiration, for example 360000000000 seconds. Log out. Try to log in again.

IMO, this setting should only be able to accept reasonable values. Any session longer than a week (or a month, or a year) should not to be accepted if the value becomes too large.

bug
Source
picture kikmedia
👍2

Most helpful comment

May be it needs to be checked against PHP_INT_MAX?

picture fritzmg on 28 Mar 2019
👍3

All 4 comments

May be it needs to be checked against PHP_INT_MAX?

fritzmg picture fritzmg on 28 Mar 2019
👍3

Should only affect 4.4.x, as the setting is no more present in 4.7. As I understand, right now in 4.7 it is no more existent in the BE, but so far not implemented in CM.
Do we already check these type of files (config) in any way, if they are manualy changed? Because checking the setting in the BE seems not enough for 4.7.x (because it doesn't have this setting).

Paddy0174 picture Paddy0174 on 28 Mar 2019

May be a "maxval" or "maxlength" in the tl_session.sessionTimeout DCA eval would be a save but still flexible way.

timgatzky picture timgatzky on 4 Apr 2019

Fixed as discussed in Mumble in 432251d95c4db7c51e39378a93f7dce93dafe5f2.

leofeyer picture leofeyer on 25 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

theDyingMountain picture theDyingMountain  路  4Comments
zonky2 picture zonky2  路  3Comments
adojck picture adojck  路  3Comments
fritzmg picture fritzmg  路  3Comments
m-vo picture m-vo  路  3Comments