diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-25 03:06:14 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-25 03:06:14 +0300 |
commit | 6d43720a1a86ccca9618417a6d0415e7d522fa49 (patch) | |
tree | ceab63f6374252b8afe4913b949bae39a027366f /app/helpers | |
parent | 46bfa73d93786bc2a832be7e42e2119712a0bafb (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/helpers')
-rw-r--r-- | app/helpers/sessions_helper.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index af98a611b8b..ef737b25bc7 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -4,4 +4,20 @@ module SessionsHelper def unconfirmed_email? flash[:alert] == t(:unconfirmed, scope: [:devise, :failure]) end + + # By default, all sessions are given the same expiration time configured in + # the session store (e.g. 1 week). However, unauthenticated users can + # generate a lot of sessions, primarily for CSRF verification. It makes + # sense to reduce the TTL for unauthenticated to something much lower than + # the default (e.g. 1 hour) to limit Redis memory. In addition, Rails + # creates a new session after login, so the short TTL doesn't even need to + # be extended. + def limit_session_time + # Rack sets this header, but not all tests may have it: https://github.com/rack/rack/blob/fdcd03a3c5a1c51d1f96fc97f9dfa1a9deac0c77/lib/rack/session/abstract/id.rb#L251-L259 + return unless request.env['rack.session.options'] + + # This works because Rack uses these options every time a request is handled: + # https://github.com/rack/rack/blob/fdcd03a3c5a1c51d1f96fc97f9dfa1a9deac0c77/lib/rack/session/abstract/id.rb#L342 + request.env['rack.session.options'][:expire_after] = Settings.gitlab['unauthenticated_session_expire_delay'] + end end |