Bug #126
Session cookies are never deleted.
| Status: | New | Start: | September 17, 2025 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
As far as I can tell, session cookies are never deleted. cookies.lua should probably run db:exec(query_delete_session) on startup.
History
Updated by Shankar G 5 months ago
Would just like to second this. It seems like a serious security breach. Among the technical problems, any site that one logs into stays logged in forever unless you sign out :). Would submit a patch if I knew Lua but unfortunately I don't, and not in a position to learn it just now...