Update max_age of session cookies to 8h instead of 3 months

haulogy · Mar 3, 2022 · 2f4382e · 2f4382e
1 parent abdce53
commit 2f4382e
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/odoo/http.py b/odoo/http.py
@@ -1157,12 +1157,12 @@ def load_request_data(self):
 
 def session_gc(session_store):
     if random.random() < 0.001:
-        # we keep session one week
-        last_week = time.time() - 60*60*24*7
+        # we keep session 8h
+        exp_time = time.time() - 60*60*8
         for fname in os.listdir(session_store.path):
             path = os.path.join(session_store.path, fname)
             try:
-                if os.path.getmtime(path) < last_week:
+                if os.path.getmtime(path) < exp_time:
                     os.unlink(path)
             except OSError:
                 pass
@@ -1400,7 +1400,7 @@ def get_response(self, httprequest, result, explicit_session):
         # - It could allow session fixation attacks.
         if not explicit_session and hasattr(response, 'set_cookie'):
             response.set_cookie(
-                'session_id', httprequest.session.sid, max_age=90 * 24 * 60 * 60, httponly=True)
+                'session_id', httprequest.session.sid, max_age=8 * 60 * 60, httponly=True)
 
         return response