Hello guys,
I'm doing some coding to my template and I'm almost finished, however I'm quite surprised, that ZP hasn't user auto logout feature :/
Please:
This is the last piece before I'll go live, som many thanks in advance for any help :-)
Ivan
The cookie is set to expire based on the option. But of course, cookie management is up to the browser, not Zenphoto.
Sessions also expire based on server/PHP configurations. Zenphoto has no control of them. Normally they will expire when the browser exits.
Have you chosen the "gallery sessions" option? If not sessions are not in play.
Many thanks for pointing this out ! I was even more simple, but I missed that checkbox, becauses the meaning was lost in the translation so, no need to code anymore, cool
Finally, so the user loggout after being idle is controlled only by Apache settings / by .htaccess ?
Hope this is my last question here..
Ivan
Probably the "meaning" would be lost even in English. The option does not really address "auto-logout" since sesssions really have nothing to do with that. One would have to know what browser sessions are to make the connection.
As to how you control the timeout. As I mentioned before this is a browser/server determined thing. One of the reasons it is not so popular. I do not think that sessions time out typically from beign idle--they normally stay active so long as the browser has not closed.
Sbillard, I'm normally using mechanism in my code to ensure, that user will not stay too long logged in if it's idle (eg in netcaffee, etc..)
To achive that, I'm using either:
OR
Once timestamp is too old in both cases, login is not valid anymore and user has to log in again.
My question here was if there is such mechanish already implemented in ZenPhoto or if I have to code it..
Ivan
Such code can be made for Zenphoto if the cookie timeout is not to your liking. (Not sure why that would be, though.) Still, it seems to me that it is pretty unfriendly to log someone out while he is using the site so if you wanted to expire a user it should probably be done when he is not on the site which in turn means some kind of backgroud process.
well, finally, I spent several hours to discover actuall security of the gallery and I have decided to rewrite this part from the scratch.
I have already added some script to handle access to pictures, as there is possibility to access pictures by direct URL even if the user is not logged in. That's done. Now I'm working on real auth by sessions, not cookies
Guys, good work with this gallery for public use, but really weak for personal use
Not blaming you, just provideing info to another users.
Ivan
Well, probably because Zenphoto is primarily meant to run public websites.
Quote: as there is possibility to access pictures by direct URL
If you mean you can access unpublished items via url directly, yes, that is not a bug but a feature. You need to password protect them if you don't wish that.
OF course you can link to the albums folder and its images direclty as well if you know it. But since the filesystem is out of Zenphoto's control you would need to use htaccess to avoid that. We have a troubleshooting entry about that if I recall right.
Right, but banning access by .htaccess is also breaking up links within the gallery & admin,so I put there small wrapper to forward picture data only if user is logged in.
But you are right. If gallery should be for public use, then I just had different expectations
Ivan
There is no issue with making a Zenphoto gallery private, you just have to understand how WEB browsers work and take appropriate actions. For instance, move the album repository off the WEB path or protect it with .htaccess.
But if you do this, you have to be sure that your theme does not attempt to directly access the album folder because that will not work for anyone (as you observed) if it is protected as above.
All this is provided for by Zenphoto but not configured out ot the box because it usually is not needed.