Update session token only once per minute
this is simmilar to #28952
if Rails.application.config.redmine_verify_sessions is enabled, basically each read request triggers an update to tokens table. This is bad for performance because it blocks the database.
My patch transforms the update query into a select query that doesn't block on heavy load. We could actually update the token only once per hour which is the minimum available setting for Setting.session_lifetime and Setting.session_timeout, but redmine modifications could use smaller values, so I choose 1 minute interval. Smaller session_timeout then 1 minute won't work now, but I think such small timeout doesn't make much sense.
#5 Updated by Pavel Rosický almost 3 years ago
if you have time, could you review? https://www.redmine.org/attachments/20901/user.rb.patch
GET requests shouldn't update a database all the time. It's even more relevant for #29513
disabling Rails.application.config.redmine_verify_sessions isn't an option because it makes Redmine vulnerable
are there any security concerns about this change?