While 60 seconds is probably a reasonable default, some people might want to give it a longer timespan.

The attached patch proposes introducing a site variable, cram_nonce_ttl, which is assigned to a constant CRAM_NONCE_TTL. This also removes redundancy in having to specify the TTL several places (currently only on line 50 and 130 (pre-patch) though). One suggestion for usability is to have a dropdown instead of a textfield, with pre-populated values (e.g. "30 seconds", "1 minute", "2 minutes", "5 minutes", "10 minutes", "15 minutes", "30 minutes", "45 minutes", "1 hour", ...). Also, the wording of cram_admin_settings['cram_nonce_ttl'] strings could probably use a loving eye.

If this is accepted, I can probably look into a backport for 5.x as well. If this is not accepted as-is, the constant might still be worth considering, to avoid having "60" 60 different places and forget to update one of the when you decide to switch to "90". ;)

CommentFileSizeAuthor
#8 cram.d5.nonce_ttl.patch2.79 KBFreso
#5 cram.d6.nonce_ttl.patch3.27 KBFreso
#4 cram.d6.nonce_ttl.patch3.66 KBFreso
cram.d6.nonce_ttl.patch3.24 KBFreso

Comments

Freso’s picture

Freso commented
Status: Active » Needs review

Note that this might fail if applied after #224835: Do proper checking of cram_nonce.valid (but hopefully it'll just apply fuzzily).

selmanj’s picture

selmanj commented
Status: Needs review » Needs work

I like this idea, but before we commit it we should probably decide what reasonable limits are for the timeout. Obviously having a timeout of 1 second is probably impossible to use, and having a timeout of 1 day would be really bad too (at least on a busy site).

I would say 5 minutes would be a good default, and then let it be configurable down to 1 minute and up to... say, 1 hour?

Also, I'm not sure why the code uses a constant in place of just using variable_get() wherever appropriate. Is this so if the default changes, we don't have to change it everywhere in the code?

Freso’s picture

Freso commented

I'm not sure why the code uses a constant in place of just using variable_get() wherever appropriate. Is this so if the default changes, we don't have to change it everywhere in the code?
Exactly. It's also more readable IMHO (compare time()-CRAM_NONCE_TTL to time()-variable_get('cram_nonce_ttl', 300)).

Freso’s picture

Freso commented
Status: Needs work » Needs review
StatusFileSize
new cram.d6.nonce_ttl.patch3.66 KB

Here's an updated patch, which has a dropdown instead of a text field. Works here. I can probably port it when it's checked in, but I don't want to do it before, in case stuff needs changing, and some of the areas this patch affects aren't so similar between D5 and D6 that I trust it to be a piece of cake to do. It probably is, but... let's just get this completed polished up beforehand. :)

Freso’s picture

Freso commented
StatusFileSize
new cram.d6.nonce_ttl.patch3.27 KB

And here's a patch without the _validate function.

selmanj’s picture

selmanj commented
Status: Needs review » Needs work

It looks good to me, but I don't know if I want to apply this yet without a D5 patch as well. I'm afraid of features creeping into d6 that don't get backported into D5.

Marking this as CNW until you or I get a backport written.

Freso’s picture

Freso commented
Version: 6.x-1.x-dev » 5.x-1.x-dev
Status: Needs work » Patch (to be ported)

I've checked this in and will port this during the weekend (if not tonight).

Freso’s picture

Freso commented
Status: Patch (to be ported) » Fixed
StatusFileSize
new cram.d5.nonce_ttl.patch2.79 KB

Well, it turned out to indeed be tonight. :)

I've tested it, and it would appear it works as intended (or at least as well as for D6), so I've also checked it in.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.