Do regular users get logged out?
There was an issue in Geeklog 1.8.0 where Oauth and Open ID users would get logged out after 2 mins of inactivity. It had to do with the password cookie. (the quote below is from the dev mailing list way back in April of 2011. This should be an issue in Geeklog 1.8.1 though.
To update sites with this fix, OAuth and OpenID user accounts will need passwords now. Once someone else confirms this fix works for both I will update the upgrade script in Geeklog to add passwords to all of these accounts.
Tom
-----Original Message-----
To: 'Geeklog Development'
Subject: Re: [geeklog-devel] OAuth and sessions (was: Geeklog 1.8.0)
Okay, I found the problem with the OAuth account being logged out after 2 minutes of inactivity. This affects our OpenID implementation as well I believe (I haven't tested it yet, I need to get an OpenID 1.0 account).
The problem lies with the password cookie. We do not create and store passwords for OAuth accounts because there was no need due to the authentication happening with the OAuth provider. The problem is that the session handler was not updated to take this into account.
I have an update to fix the issue. Basically when an OAuth account is created, a password is now created as well. The only purpose of this password is to validate the session cookie information. I also updated the SESS_getUserDataFromId function and allowed it to returned the hash password as well so that when the user gets logged in the cookie will be set with a valid password.
I have updated the OpenID implementation as well and when an account is created with USER_createAccount I now supply a password to use with the account. As I mentioned before this OpenId fix is not tested but only 2 lines where changed.
One of the Geeklog Core Developers.