sessions don't timeout

[enasni]

Once authenticated the user is issued a cookie with the session id. On page requests the cookie is checked, however the cookie persists for the duration that the browser is open or until the user manually logs out.

There should be a temporal component to the session to allow it to automatically time out after a period of time and force the user to re-authenticate.

[CKinWoodstock]

AGreed. Code added to timeout session after 15 minutes.

[CKinWoodstock]

enasni:

You have been awarded one bug bounty point for this issue.