Update session token only once per minute (#29041).

Patch by Pavel Rosický. git-svn-id: http://svn.redmine.org/redmine/trunk@21376 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-09 06:46:01 +01:00 · 2022-01-22 04:04:05 +00:00
parent 5d0798c0d1
commit 8bb06c04ba
2 changed files with 21 additions and 1 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -469,7 +469,14 @@ class User < Principal
    if Setting.session_timeout?
      scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago)
    end
-    scope.update_all(:updated_on => Time.now) == 1
+    last_updated = scope.maximum(:updated_on)
+    if last_updated.nil?
+      false
+    elsif last_updated <= 1.minute.ago
+      scope.update_all(:updated_on => Time.now) == 1
+    else
+      true
+    end
  end

  # Return an array of project ids for which the user has explicitly turned mail notifications on
--- a/test/functional/sessions_controller_test.rb
+++ b/test/functional/sessions_controller_test.rb
@@ -45,6 +45,19 @@ class SessionsControllerTest < Redmine::ControllerTest
    assert token.updated_on > created
  end

+  def test_session_token_should_be_updated_only_once_per_minute
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => 1.second.ago, :updated_on => 1.second.ago)
+    updated = token.reload.updated_on
+
+    get :index, :session => {
+      :user_id => 2,
+      :tk => token.value
+    }
+    assert_response :success
+    token.reload
+    assert_equal updated.to_i, token.updated_on.to_i
+  end
+
  def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
    created = 2.years.ago
    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)