Update session token only once per minute (#29041).

Patch by Pavel Rosický.


git-svn-id: http://svn.redmine.org/redmine/trunk@21376 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 21 insertions, 1 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 25530541e..8c190374f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -469,7 +469,14 @@ class User < Principal
     if Setting.session_timeout?
       scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago)
     end
-    scope.update_all(:updated_on => Time.now) == 1
+    last_updated = scope.maximum(:updated_on)
+    if last_updated.nil?
+      false
+    elsif last_updated <= 1.minute.ago
+      scope.update_all(:updated_on => Time.now) == 1
+    else
+      true
+    end
   end
 
   # Return an array of project ids for which the user has explicitly turned mail notifications on
diff --git a/test/functional/sessions_controller_test.rb b/test/functional/sessions_controller_test.rb
index bc9d1d99a..8640c1ee4 100644
--- a/test/functional/sessions_controller_test.rb
+++ b/test/functional/sessions_controller_test.rb
@@ -45,6 +45,19 @@ class SessionsControllerTest < Redmine::ControllerTest
     assert token.updated_on > created
   end
 
+  def test_session_token_should_be_updated_only_once_per_minute
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => 1.second.ago, :updated_on => 1.second.ago)
+    updated = token.reload.updated_on
+
+    get :index, :session => {
+      :user_id => 2,
+      :tk => token.value
+    }
+    assert_response :success
+    token.reload
+    assert_equal updated.to_i, token.updated_on.to_i
+  end
+
   def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
     created = 2.years.ago
     token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)