Reduced default time security tokens stay valid from 30 days to 2 days (reduces chanc...

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13949 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 50f062af4017da336e77558397aeb845be7f915a..c39d7cec79e7942d8b2a0da574f05e756658a7a3 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -340,6 +340,8 @@ Version 1.5.2 - SVN
   - Fix error with SpamCop reporting plugin not being able to send report as
     emails (#1795310).
   - Fix typo in SpamCop plugin.
   - Fix error with SpamCop reporting plugin not being able to send report as
     emails (#1795310).
   - Fix typo in SpamCop plugin.

+  - Reduced default time security tokens stay valid from 30 days to 2 days
+    (reduces chances of session data growing too large)

 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

diff --git a/functions/strings.php b/functions/strings.php
index 50e9bfea4536bae5e990eec77fca39bfe01ddd31..64ec8715dc917055d982f489225c159f55e1d322 100644 (file)
--- a/functions/strings.php
+++ b/functions/strings.php
@@ -1468,7 +1468,7 @@ function sm_truncate_string($string, $max_chars, $elipses='',
   *
   * @param boolean $purge_old Indicates if old tokens
   *                           should be purged from the
   *
   * @param boolean $purge_old Indicates if old tokens
   *                           should be purged from the

-  *                           list ("old" is 30 days or
+  *                           list ("old" is 2 days or

   *                           older unless the administrator
   *                           overrides that value using
   *                           $max_security_token_age in
   *                           older unless the administrator
   *                           overrides that value using
   *                           $max_security_token_age in


@@ -1494,7 +1494,7 @@ function sm_get_user_security_tokens($purge_old=TRUE)
    //
    if ($purge_old)
    {
    //
    if ($purge_old)
    {

-      if (empty($max_token_age_days)) $max_token_age_days = 30;
+      if (empty($max_token_age_days)) $max_token_age_days = 2;

       $now = time();
       $discard_token_date = $now - ($max_token_age_days * 86400);
       $cleaned_tokens = array();
       $now = time();
       $discard_token_date = $now - ($max_token_age_days * 86400);
       $cleaned_tokens = array();


@@ -1562,7 +1562,7 @@ function sm_generate_security_token()
   * from the user's preferences if it was valid.  If the token
   * is too old but otherwise valid, it will still be rejected.
   *
   * from the user's preferences if it was valid.  If the token
   * is too old but otherwise valid, it will still be rejected.
   *

-  * "Too old" is 30 days or older unless the administrator
+  * "Too old" is 2 days or older unless the administrator

   * overrides that value using $max_security_token_age in
   * config/config_local.php
   *
   * overrides that value using $max_security_token_age in
   * config/config_local.php
   *


@@ -1628,7 +1628,7 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
 
    // reject tokens that are too old
    //
 
    // reject tokens that are too old
    //

-   if (empty($max_token_age_days)) $max_token_age_days = 30;
+   if (empty($max_token_age_days)) $max_token_age_days = 2;

    $old_token_date = $now - ($max_token_age_days * 86400);
    if ($timestamp < $old_token_date)
    {
    $old_token_date = $now - ($max_token_age_days * 86400);
    if ($timestamp < $old_token_date)
    {