make cookie ttl configurable and unlimited by default (#105)

xecdev · xecdev · web-flow · commit 43b6fd95c690 · 2025-12-07T21:26:08.000-08:00
* make cookie ttl configurable and unlimited by default

* Change &lt;/br&gt; to &lt;br /&gt;

---------

Co-authored-by: xecdev &lt;ecashinformer@gmail.com&gt;
diff --git a/assets/css/paybutton-admin.css b/assets/css/paybutton-admin.css
@@ -295,4 +295,17 @@ table.widefat.fixed.striped td {
 .copy-overlay .overlay-text {
   text-align: center;
   font-weight:bold;
+}
+
+.pre-box {
+    background: #eaeaea;
+    padding: 10px;
+    border: 1px solid #ddd;
+}
+
+.paybutton-guide {
+    margin-top: 15px;
+    background: #f7f7f7;
+    padding: 15px;
+    border-left: 4px solid #0073aa;
 }
diff --git a/includes/class-paybutton-admin.php b/includes/class-paybutton-admin.php
@@ -224,6 +224,8 @@ public function paywall_settings_page() {
             'blacklist'                 => get_option( 'paybutton_blacklist', array() ),
             //Public key
             'paybutton_public_key'      => get_option( 'paybutton_public_key', '' ),
+            // Login & content unlock cookie expiry (days)
+            'paybutton_cookie_ttl_days' => get_option( 'paybutton_cookie_ttl_days', 0 ),
         );
         $this->load_admin_template( 'paywall-settings', $args );
     }
@@ -253,7 +255,7 @@ public function admin_notice_missing_required_inputs() {
 
     /**
      * Save settings submitted via the Paywall Settings page.
-     */
+    */
     private function save_settings() {
         $address         = sanitize_text_field( $_POST['paybutton_admin_wallet_address'] );
         $unit            = sanitize_text_field( $_POST['unit'] );
@@ -292,6 +294,22 @@ private function save_settings() {
         // Default to  #000000 for text
         update_option('paybutton_unlocked_indicator_color', $paybutton_unlocked_indicator_color ?: '#000000');
 
+        // NEW Login & Content Unlock Cookie Expiry (days)
+        // 0 means "no automatic logout" (use long default TTL set in PayButton_State class)
+        $paybutton_cookie_ttl_days = 0;
+
+        if ( isset( $_POST['paybutton_cookie_ttl_days'] ) ) {
+            $raw_ttl = wp_unslash( $_POST['paybutton_cookie_ttl_days'] );
+            // sanitize_text_field to strip tags etc, then cast to int
+            $sanitized_ttl = sanitize_text_field( $raw_ttl );
+            $paybutton_cookie_ttl_days = (int) $sanitized_ttl;
+
+            if ( $paybutton_cookie_ttl_days < 0 ) {
+                $paybutton_cookie_ttl_days = 0;
+            }
+        }
+        update_option( 'paybutton_cookie_ttl_days', $paybutton_cookie_ttl_days );
+
         // Save the blacklist
         if ( isset( $_POST['paybutton_blacklist'] ) ) {
             $raw_blacklist = sanitize_text_field( $_POST['paybutton_blacklist'] );
diff --git a/includes/class-paybutton-state.php b/includes/class-paybutton-state.php
@@ -4,11 +4,40 @@
 final class PayButton_State {
 
     /**
-     * cookie names & session-only cookies 
+     * cookie names
     */
     const COOKIE_USER_ADDR = 'paybutton_user_wallet_address';
     const COOKIE_CONTENT  = 'paybutton_paid_content';
-    const TTL         = 604800; // one week
+    
+    /**
+     * Default cookie lifetime in seconds.
+     * Used when the admin has not set a specific expiry.
+     * Modern browsers may impose their own limits on cookie lifetimes often around 400 days.
+     * https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute
+    */
+    const TTL = 31536000; // 1 year in seconds.
+
+    /**
+     * Get effective cookie TTL (in seconds) based on settings.
+     * - If "Login & Content Unlock Cookie Expiry (days)" is > 0,
+     *   use that value.
+     * - If 0 or empty, fall back to the unlimited default (self::TTL).
+     * @return int TTL in seconds
+    */
+    private static function get_ttl() {
+        $raw_days = get_option( 'paybutton_cookie_ttl_days', 0 );
+        $days     = (int) $raw_days;
+
+        if ( $days > 0 ) {
+            if ( defined( 'DAY_IN_SECONDS' ) ) {
+                return $days * DAY_IN_SECONDS;
+            }
+
+            return $days * 86400;
+        }
+
+        return self::TTL;
+    }
 
     /**
      * Generate HMAC of a value using WP auth salt.
@@ -103,12 +132,14 @@ public static function set_address( $addr ) {
             return;   // nothing new → don’t send a Set-Cookie header, good for caching
         }
 
+        $ttl = self::get_ttl();
+
         if ( PHP_VERSION_ID >= 70300 ) {
             setcookie(
                 self::COOKIE_USER_ADDR,
                 $cookieValue,
                 [
-                    'expires'  => time() + self::TTL,
+                    'expires'  => time() + $ttl,
                     'path'     => '/',
                     'domain'   => COOKIE_DOMAIN ?: '',
                     'secure'   => is_ssl(),
@@ -118,7 +149,7 @@ public static function set_address( $addr ) {
             );
         } else {
             //Fall back to a raw header with SameSite=Lax for older PHP versions
-            $expiry = gmdate( 'D, d-M-Y H:i:s T', time() + self::TTL );
+            $expiry = gmdate( 'D, d-M-Y H:i:s T', time() + $ttl );
             $header = sprintf(
                 '%s=%s; Expires=%s; Path=%s; Domain=%s; %s; HttpOnly; SameSite=Lax',
                 self::COOKIE_USER_ADDR,
@@ -196,12 +227,14 @@ public static function add_article( $post_id ) {
             return; // nothing new → don’t send a Set-Cookie header, good for caching
         }
         
+        $ttl = self::get_ttl();
+
         if ( PHP_VERSION_ID >= 70300 ) {
             setcookie(
                 self::COOKIE_CONTENT,
                 $cookieValue,
                 [
-                    'expires'  => time() + self::TTL,
+                    'expires'  => time() + $ttl,
                     'path'     => '/',
                     'domain'   => COOKIE_DOMAIN ?: '',
                     'secure'   => is_ssl(),
@@ -211,7 +244,7 @@ public static function add_article( $post_id ) {
             );
         } else {
             //Fall back to a raw header with SameSite=Lax for older PHP versions
-            $expiry = gmdate( 'D, d-M-Y H:i:s T', time() + self::TTL );
+            $expiry = gmdate( 'D, d-M-Y H:i:s T', time() + $ttl );
             $header = sprintf(
                 '%s=%s; Expires=%s; Path=%s; Domain=%s; %s; HttpOnly; SameSite=Lax',
                 self::COOKIE_CONTENT,
diff --git a/templates/admin/paywall-settings.php b/templates/admin/paywall-settings.php
@@ -183,6 +183,29 @@
             <tr>
                 <th colspan="2"><h2>Advanced Settings</h2></th>
             </tr>
+            <!-- Login & Content Unlock Cookie Expiry Setting -->
+            <tr>
+                <th scope="row">
+                    <label for="paybutton_cookie_ttl_days">
+                        Login &amp; Content Unlock Cookie Expiry (optional)
+                    </label>
+                </th>
+                <td>
+                    <input
+                        type="number"
+                        name="paybutton_cookie_ttl_days"
+                        id="paybutton_cookie_ttl_days"
+                        class="regular-text"
+                        min="0"
+                        step="1"
+                        value="<?php echo esc_attr( (int) $paybutton_cookie_ttl_days ); ?>"
+                    />
+                    <p class="description">
+                        Controls how long login <code>paybutton_user_wallet_address</code> and unlocked content <code>paybutton_paid_content</code> cookies stay valid, in days.
+                        <br />Use <strong>0</strong> (default) to keep users logged in indefinitely.
+                    </p>
+                </td>
+            </tr>
             <!--blacklist Field -->
             <tr>
                 <th scope="row"><label for="paybutton_blacklist">Blacklisted Addresses (optional)</label></th>
@@ -205,7 +228,7 @@
                         Enter your PayButton public key to verify Payment Trigger requests.
                     </p>
                     <!-- User-Friendly Setup Guide -->
-                    <div class="paybutton-guide" style="margin-top: 15px; background: #f7f7f7; padding: 15px; border-left: 4px solid #0073aa;">
+                    <div class="paybutton-guide">
                         <p><strong>Guide to Setup your PayButton Public Key:</strong></p>
                         <p>
                             1. Create an account on 
@@ -222,11 +245,11 @@
                         <p>
                             4. In the <em>URL</em> field, paste the following:
                         </p>
-                        <pre style="background: #eaeaea; padding: 10px; border: 1px solid #ddd;"><?php echo esc_url( admin_url( 'admin-ajax.php?action=payment_trigger' ) ); ?></pre>
+                        <pre class="pre-box"><?php echo esc_url( admin_url( 'admin-ajax.php?action=payment_trigger' ) ); ?></pre>
                         <p>
                             5. In the <em>Post Data</em> field, paste the following code as is:
                         </p>
-                        <pre style="background: #eaeaea; padding: 10px; border: 1px solid #ddd;">
+                        <pre class="pre-box">
 {
 "signature": &lt;signature&gt;,
 "post_id": &lt;opReturn&gt;,
