Results 1 to 3 of 3
  1. #1
    Join Date
    Nov 2003
    Location
    Haarlem | Netherlands
    Posts
    1,987
    Plugin Contributions
    15

    Default [Not a bug] typo in sessions.php?

    It's a minor error, and does not cause any problems as it is, but I imagine it may lead to a real bug if the code is updated by someone who is not aware of this typo.

    In includes/functions/sessions.php:
    Code:
        if (!$SESS_LIFE = (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN)) {
          $SESS_LIFE = (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN);
        }
    (Under normal circumstances the 1st line is always executed, which sets $SESS_LIFE on every page call. The 2nd line will only be executed if SESSION_TIMEOUT_ADMIN is not true...)


    Should be:
    Code:
        if (!$SESS_LIFE == (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN)) {
          $SESS_LIFE = (SESSION_TIMEOUT_ADMIN > 900 ? 900 : SESSION_TIMEOUT_ADMIN);
        }
    (note: similar error in several 1.3.x versions)

  2. #2
    Join Date
    Nov 2003
    Location
    Haarlem | Netherlands
    Posts
    1,987
    Plugin Contributions
    15

    Default Re: 1.5.0BETA-08162011 typo in sessions.php?

    I think I found where it's coming from. The (in)famous pre-zen-cart code used this:
    Code:
        if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
          $SESS_LIFE = 1440;
        }
    Which makes sense. $SESS_LIFE is set to the value of get_cfg_var('session.gc_maxlifetime'), but if the result is a non True value $SESS_LIFE is set to 1440. This prevents the session timeout to be zero under circumstances.

    In Zen Cart 1.1 (and up) the code was copied, and edited to set a separate session timeout for the admin like this:
    Code:
        if (defined('DIR_WS_ADMIN')) {
          if (!$SESS_LIFE = (SESSION_TIMEOUT_ADMIN + 900)) {
            $SESS_LIFE = (SESSION_TIMEOUT_ADMIN + 900);
          }
        } else {
          if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
            $SESS_LIFE = 1440;
          }
        }
    The old part still works as intended, but the new part does not make sense. Here $SESS_LIFE is set to the value of (SESSION_TIMEOUT_ADMIN + 900), and if the result is False it's set to the same value... (False)

    To set SESS_LIFE to a safe value (which I assume is the intention) I would use something like:
    Code:
      if (IS_ADMIN_FLAG === true) {
        $SESS_LIFE = (SESSION_TIMEOUT_ADMIN < 300 || SESSION_TIMEOUT_ADMIN > 900) ? 900 : SESSION_TIMEOUT_ADMIN)
      } else {
        if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
          $SESS_LIFE = 1440;
        }
      }

  3. #3
    Join Date
    Nov 2003
    Location
    Haarlem | Netherlands
    Posts
    1,987
    Plugin Contributions
    15

    Default Re: [Not a bug] typo in sessions.php?

    Sorry, indeed not a bug, should have posted to code suggestions. But not really important, it just made me scratch my head
    (I am sure though it can easily lead to a future bug)

 

 

Similar Threads

  1. v139h [Not a bug] Problem with admin sessions in suPHP environment
    By RatMonkey in forum Bug Reports
    Replies: 1
    Last Post: 16 Mar 2012, 07:45 PM
  2. Replies: 3
    Last Post: 25 Nov 2010, 02:10 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR