The internet deployments of odoo is vulnarable in terms of auto session expiration.
It is indeed the auto session expiration is implemented in odoo(version-14). But, the session expiration will happen if and only if the inactivity is 7 days (A full week - 60*68*24*7) long. Which is realllly a huge time to auto
expire a session. The following code is responsible for auto session expiration.
File -> /<your_path_to_odoo_source>/odoo-14/odoo/http.py
Search for "def session_gc" - (to be precise line number 1164 of odoo-14 version)
def session_gc(session_store):
if random.random() < 0.001:
# we keep session one week
#last_week = time.time() - 60*60*24*7 #- old code with 1 week implementation
last_10min = time.time() - 60*10 #- new code with 10 min implementation
for fname in os.listdir(session_store.path):
path = os.path.join(session_store.path, fname)
try:
#if os.path.getmtime(path) < last_week: #- old code with 1 week implementation
if os.path.getmtime(path) < last_10min: #- new code with 10 min implementation
os.unlink(path)
except OSError:
pass
The above code changed from the actual implementation of 7 days to new implementation of 10 minutes auto session expiry.
Now, restart the odoo for changes to get effect (python3 odoo-bin -c /<your_odoo_odoo-14_path/debian/odoo.conf).
No comments:
Post a Comment