From f2c918dc454aab054c8ef9dfaa85bc11eb8177c7 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Fri, 31 May 2013 16:26:04 +1200
Subject: [PATCH 1/2] FIX: Make session timeout inactive-time only.

By default, the Session.timeout configuration option specifies the total
session time, regardless of the amount of activity.  This change means
that the timeout specifies how long without any further dynamic requests
before the session cookie expires.

The way it does this is to re-set the session cookie expiry with a
subsequent Set-Cookie command each time a request that necessitates
a session is called.

Strictly speaking, it's a change in session timeout semantics, but I think
it's a good one, because total-session-time-regardless-of-activity is a
stupid timeout to include, and has more to do with the mechanics of the
internet than with application security requirements.
---
 control/Session.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/control/Session.php b/control/Session.php
index 17ff7cd66..183e2cc3c 100644
--- a/control/Session.php
+++ b/control/Session.php
@@ -535,6 +535,13 @@ class Session {
 			// There's nothing we can do about this, because it's an operating system function!
 			if($sid) session_id($sid);
 			@session_start();
+
+		}
+
+		// Modify the timeout behaviour so it's the *inactive* time before the session expires.
+		// By default it's the total session lifetime
+		if($timeout && !headers_sent()) {
+			setcookie(session_name(), session_id(), time()+$timeout, $path, $domain ? $domain : null, $secure, true);
 		}
 	}
 

From 4548b67538086db7e95d3758c2001cae59501d33 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Fri, 31 May 2013 16:27:30 +1200
Subject: [PATCH 2/2] NEW: Add LeftAndMain.session_keepalive_ping config
 option.

The Session-keepalive ping that is built into LeftAndMain (i.e. all of the CMS admin) can now be
turned off.  The main reason you would want to do this is if you have enabled Session.timeout,
and you want users to be locked out of the CMS after a period.
---
 admin/code/LeftAndMain.php | 55 +++++++++++++++++++++++---------------
 1 file changed, 33 insertions(+), 22 deletions(-)

diff --git a/admin/code/LeftAndMain.php b/admin/code/LeftAndMain.php
index e72658837..750153883 100644
--- a/admin/code/LeftAndMain.php
+++ b/admin/code/LeftAndMain.php
@@ -152,6 +152,15 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 */
 	private static $extra_requirements_themedCss = array();
 
+	/**
+	 * If true, call a keepalive ping every 5 minutes from the CMS interface,
+	 * to ensure that the session never dies.
+	 * 
+	 * @config
+	 * @var boolean
+	 */
+	private static $session_keepalive_ping = true;
+
 	/**
 	 * @var PjaxResponseNegotiator
 	 */
@@ -327,28 +336,30 @@ class LeftAndMain extends Controller implements PermissionProvider {
 
 		HTMLEditorField::include_js();
 
-		Requirements::combine_files(
-			'leftandmain.js',
-			array_unique(array_merge(
-				array(
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Layout.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.ActionTabSet.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Panel.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Tree.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Ping.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Content.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.EditForm.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Menu.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Preview.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.BatchActions.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.FieldHelp.js',
-					FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.TreeDropdownField.js',
-				),
-				Requirements::add_i18n_javascript(FRAMEWORK_DIR . '/javascript/lang', true, true),
-				Requirements::add_i18n_javascript(FRAMEWORK_ADMIN_DIR . '/javascript/lang', true, true)
-			))
-		);
+		$leftAndMainIncludes = array_unique(array_merge(
+			array(
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Layout.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.ActionTabSet.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Panel.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Tree.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Content.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.EditForm.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Menu.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Preview.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.BatchActions.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.FieldHelp.js',
+				FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.TreeDropdownField.js',
+			),
+			Requirements::add_i18n_javascript(FRAMEWORK_DIR . '/javascript/lang', true, true),
+			Requirements::add_i18n_javascript(FRAMEWORK_ADMIN_DIR . '/javascript/lang', true, true)
+		));
+
+		if($this->config()->session_keepalive_ping) {
+			$leftAndMainIncludes[] = FRAMEWORK_ADMIN_DIR . '/javascript/LeftAndMain.Ping.js';
+		}
+
+		Requirements::combine_files('leftandmain.js', $leftAndMainIncludes);
 
 		// TODO Confuses jQuery.ondemand through document.write()
 		if (Director::isDev()) {