From 09ef5f613ef5fdf74554707de1fdccc935c6b0b9 Mon Sep 17 00:00:00 2001
From: Rafael dos Santos Silva <xfalcox@gmail.com>
Date: Tue, 17 May 2016 01:12:09 -0300
Subject: [PATCH] FEATURE: add setting permanent_session_cookie to configure
 session stickiness

Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
---
 config/locales/server.en.yml              | 1 +
 config/site_settings.yml                  | 1 +
 lib/auth/default_current_user_provider.rb | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 57a68ba5b..78790781b 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -890,6 +890,7 @@ en:
     post_undo_action_window_mins: "Number of minutes users are allowed to undo recent actions on a post (like, flag, etc)."
     must_approve_users: "Staff must approve all new user accounts before they are allowed to access the site. WARNING: enabling this for a live site will revoke access for existing non-staff users!"
     pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
+    permanent_session_cookie: "Use a permanent cookie that persists after closing the browser. When disabling this, you may want to log out everyone programmatically."
     ga_tracking_code: "Google analytics (ga.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
     ga_domain_name: "Google analytics (ga.js) domain name, eg: mysite.com; see http://google.com/analytics"
     ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 6a73beaa8..c785c73df 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -289,6 +289,7 @@ login:
   pending_users_reminder_delay:
     min: -1
     default: 8
+  permanent_session_cookie: true
 
 users:
   min_username_length:
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index 0bc2bf34e..5755f2854 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -66,7 +66,11 @@ class Auth::DefaultCurrentUserProvider
       user.auth_token = SecureRandom.hex(16)
       user.save!
     end
-    cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
+    if SiteSetting.permanent_session_cookie
+      cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
+    else
+      cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
+    end
     make_developer_admin(user)
     enable_bootstrap_mode(user)
     @env[CURRENT_USER_KEY] = user