- added 1 year timeout for csrf token cookie because if one closes the browser the cookie is gone

- but the auth token should determine the logout timeout...

- added 1 year timeout for csrf token cookie because if one closes the browser the cookie is gone
2d6e1f7f · Janis Daniel Dähne · d2709715 · 2d6e1f7f · 2d6e1f7f
Commit 2d6e1f7f authored 6 years ago by Janis Daniel Dähne
--- a/readme.md
+++ b/readme.md
@@ -6,13 +6,6 @@ In the current setup the client server serves the webpage as static content. All

 # Important Issues

-#### lost/infinite assessment
-When running an assessment (for an release) we set HasAutomaticAssessmentStarted to true and
-after we finished we set HasAutomaticAssessmentStarted to false and HasAutomaticAssessmentFinished to true
-
-the issue is that when we started and e.g. the server crashes the assessment won't finish anymore because we only take new assessments for releases where HasAutomaticAssessmentStarted is false
-
-we cannot distinct between a every long running assessment and a server crash (which won't set the props either).

 ## Important hints

@@ -191,7 +184,9 @@ if a user tries to login via external but the password is not yet set then he/sh

 # Hints

-* HttpDelete cannot take [FromBody] arguments because vue-resource does not support body data when sending delete request --> use url argument e.g. HttpPost("{id}")
+- when the server is shutdown and some assessment was running will it ever finish? 
+  - it should because we now chec/run on server startup a new assessment check for assessments that haven't finished and rerun them
+- HttpDelete cannot take [FromBody] arguments because vue-resource does not support body data when sending delete request --> use url argument e.g. HttpPost("{id}")



--- a/src/ClientServer/Controllers/Core/Login/AuthTokenController.cs
+++ b/src/ClientServer/Controllers/Core/Login/AuthTokenController.cs
@@ -262,6 +262,8 @@ namespace ClientServer.Controllers.Core.Login

        public static void UpdateCsrfCookie(HttpResponse response,  string crsfToken)
        {
+            var now = DateTimeHelper.GetNowForCookies();
+
            response.Cookies.Append(CSRFCookieName, crsfToken, new CookieOptions
            {
                HttpOnly = false,
@@ -272,7 +274,7 @@ namespace ClientServer.Controllers.Core.Login
                
                //not important has the same lifetime as the auth token implicitly
                //on every login we reset 
-                // Expires = now.AddMinutes(Startup.TokenCookieTimeoutInS)
+                Expires = now.AddYears(1), //session is not good because if one closes the browser the cookie is gone but the auth token should determine the logout timeout...
                Path = "/",
            });
        }