I think I found where it's coming from. The (in)famous pre-zen-cart code used this:
Code:
if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
$SESS_LIFE = 1440;
}
Which makes sense. $SESS_LIFE is set to the value of get_cfg_var('session.gc_maxlifetime'), but if the result is a non True value $SESS_LIFE is set to 1440. This prevents the session timeout to be zero under circumstances.
In Zen Cart 1.1 (and up) the code was copied, and edited to set a separate session timeout for the admin like this:
Code:
if (defined('DIR_WS_ADMIN')) {
if (!$SESS_LIFE = (SESSION_TIMEOUT_ADMIN + 900)) {
$SESS_LIFE = (SESSION_TIMEOUT_ADMIN + 900);
}
} else {
if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
$SESS_LIFE = 1440;
}
}
The old part still works as intended, but the new part does not make sense. Here $SESS_LIFE is set to the value of (SESSION_TIMEOUT_ADMIN + 900), and if the result is False it's set to the same value... (False)
To set SESS_LIFE to a safe value (which I assume is the intention) I would use something like:
Code:
if (IS_ADMIN_FLAG === true) {
$SESS_LIFE = (SESSION_TIMEOUT_ADMIN < 300 || SESSION_TIMEOUT_ADMIN > 900) ? 900 : SESSION_TIMEOUT_ADMIN)
} else {
if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
$SESS_LIFE = 1440;
}
}
Bookmarks