From 9ec826364ada5906c775152c1f681292ffea1b92 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 15 Feb 2008 12:49:23 +0100
Subject: invalidate all user session cache when userdatabase is changed
 FS#1085

A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.

To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.

darcs-hash:20080215114923-7ad00-6874d5211efce7d07e54de37244becc2387c1ba7.gz
---
 inc/auth.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index d511930dc..48888da1e 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -157,6 +157,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
     if($user && $pass){
       // we got a cookie - see if we can trust it
       if(isset($session) &&
+        ($session['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')) &&
         ($session['time'] >= time()-$conf['auth_security_timeout']) &&
         ($session['user'] == $user) &&
         ($session['pass'] == $pass) &&  //still crypted
-- 
cgit v1.2.3