Reduced default time security tokens stay valid from 30 days to 2 days (reduces chanc...
authorpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 21 Jun 2010 07:01:16 +0000 (07:01 +0000)
committerpdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 21 Jun 2010 07:01:16 +0000 (07:01 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13949 7612ce4b-ef26-0410-bec9-ea0150e637f0

doc/ChangeLog
functions/strings.php

index 50f062af4017da336e77558397aeb845be7f915a..c39d7cec79e7942d8b2a0da574f05e756658a7a3 100644 (file)
@@ -340,6 +340,8 @@ Version 1.5.2 - SVN
   - Fix error with SpamCop reporting plugin not being able to send report as
     emails (#1795310).
   - Fix typo in SpamCop plugin.
+  - Reduced default time security tokens stay valid from 30 days to 2 days
+    (reduces chances of session data growing too large)
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
index 50e9bfea4536bae5e990eec77fca39bfe01ddd31..64ec8715dc917055d982f489225c159f55e1d322 100644 (file)
@@ -1468,7 +1468,7 @@ function sm_truncate_string($string, $max_chars, $elipses='',
   *
   * @param boolean $purge_old Indicates if old tokens
   *                           should be purged from the
-  *                           list ("old" is 30 days or
+  *                           list ("old" is 2 days or
   *                           older unless the administrator
   *                           overrides that value using
   *                           $max_security_token_age in
@@ -1494,7 +1494,7 @@ function sm_get_user_security_tokens($purge_old=TRUE)
    //
    if ($purge_old)
    {
-      if (empty($max_token_age_days)) $max_token_age_days = 30;
+      if (empty($max_token_age_days)) $max_token_age_days = 2;
       $now = time();
       $discard_token_date = $now - ($max_token_age_days * 86400);
       $cleaned_tokens = array();
@@ -1562,7 +1562,7 @@ function sm_generate_security_token()
   * from the user's preferences if it was valid.  If the token
   * is too old but otherwise valid, it will still be rejected.
   *
-  * "Too old" is 30 days or older unless the administrator
+  * "Too old" is 2 days or older unless the administrator
   * overrides that value using $max_security_token_age in
   * config/config_local.php
   *
@@ -1628,7 +1628,7 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
 
    // reject tokens that are too old
    //
-   if (empty($max_token_age_days)) $max_token_age_days = 30;
+   if (empty($max_token_age_days)) $max_token_age_days = 2;
    $old_token_date = $now - ($max_token_age_days * 86400);
    if ($timestamp < $old_token_date)
    {