opf · myabc · Oct 30, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
   include Accounts::UserLogin
   include Accounts::Authorization
   include Accounts::EnterpriseGuard
-  include ::OpenProject::Authentication::SessionExpiry
+  include ::OpenProject::Authentication::SessionExpiration
   include AdditionalUrlHelpers
   include OpenProjectErrorHelper
   include Security::DefaultUrlOptions

diff --git a/app/models/user_password.rb b/app/models/user_password.rb
@@ -61,7 +61,7 @@ def matches_plaintext?(plain, update_legacy: true)
 
   ##
   # Rehash the password using the currently active strategy.
-  # This replaces the password and keeps expiry date identical.
+  # This replaces the password and keeps expiration date identical.
   def rehash_as_active(plain)
     active_class = UserPassword.active_type
 

diff --git a/app/services/users/change_password_service.rb b/app/services/users/change_password_service.rb
@@ -75,8 +75,8 @@ def invalidate_other_sessions
 
     def update_message
       update_message = I18n.t(:notice_account_password_updated)
-      expiry_message = I18n.t(:notice_account_other_session_expired)
-      { message_type: :info, message: "#{update_message} #{expiry_message}" }
+      expiration_message = I18n.t(:notice_account_other_session_expired)
+      { message_type: :info, message: "#{update_message} #{expiration_message}" }
     end
 
     def log_success

diff --git a/app/services/users/login_service.rb b/app/services/users/login_service.rb
@@ -66,7 +66,7 @@ def set_autologin_cookie
       token = Token::AutoLogin.create!(user:, data: token_session_information)
       cookie_options = {
         value: token.plain_value,
-        # The autologin expiry is checked on validating the token
+        # The autologin expiration is checked on validating the token
         # but still expire the cookie to avoid unnecessary retries
         expires: token.expires_on,
         path: OpenProject::Configuration["autologin_cookie_path"],

diff --git a/config/constants/settings/definition.rb b/config/constants/settings/definition.rb
@@ -169,7 +169,7 @@ class Definition
         default: %w[ca cs de el en es fr hu id it ja ko lt nl no pl pt-BR pt-PT ro ru sk sl sv tr uk vi zh-CN zh-TW].freeze,
         allowed: -> { Redmine::I18n.all_languages }
       },
-      avatar_link_expiry_seconds: {
+      avatar_link_expiration_seconds: {
         description: "Cache duration for avatar image API responses",
         default: 24.hours.to_i
       },
@@ -216,7 +216,7 @@ class Definition
         default: 20
       },
       cache_expires_in_seconds: {
-        description: "Expiration time for memcache entries, empty for no expiry be default",
+        description: "Expiration time for memcache entries, empty for no expiration be default",
         format: :integer,
         default: nil,
         writable: false

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -4427,7 +4427,7 @@ en:
   setting_self_registration_manual_activation_caption: >
     Users can register on their own. Their accounts are in a pending state until an administrator
     or user with the global permission to create or manage users activates them.
-  setting_session_ttl: "Session expiry time after inactivity"
+  setting_session_ttl: "Session expiration time after inactivity"
   setting_session_ttl_hint: "Value below 5 works like disabled"
   setting_session_ttl_enabled: "Session expires"
   setting_start_of_week: "Week starts on"

diff --git a/db/migrate/20251107114245_rename_avatar_link_expiry_setting_to_expiration.rb b/db/migrate/20251107114245_rename_avatar_link_expiry_setting_to_expiration.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+require_relative "migration_utils/setting_renamer"
+
+class RenameAvatarLinkExpirySettingToExpiration < ActiveRecord::Migration[8.0]
+  def up
+    ::Migration::MigrationUtils::SettingRenamer
+      .rename(:avatar_link_expiry_seconds, :avatar_link_expiration_seconds)
+  end
+
+  def down
+    ::Migration::MigrationUtils::SettingRenamer
+      .rename(:avatar_link_expiration_seconds, :avatar_link_expiry_seconds)
+  end
+end
diff --git a/db/migrate/migration_utils/setting_renamer.rb b/db/migrate/migration_utils/setting_renamer.rb
@@ -28,26 +28,28 @@
 # See COPYRIGHT and LICENSE files for more details.
 #++
 
-module Migration::MigrationUtils
-  class SettingRenamer
-    # define all the following methods as class methods
-    class << self
-      def rename(source_name, target_name)
-        ActiveRecord::Base.connection.execute <<-SQL
-          UPDATE #{settings_table}
-          SET name = #{quote_value(target_name)}
-          WHERE name = #{quote_value(source_name)}
-        SQL
-      end
+module Migration
+  module MigrationUtils
+    class SettingRenamer
+      # define all the following methods as class methods
+      class << self
+        def rename(source_name, target_name)
+          ActiveRecord::Base.connection.execute <<-SQL.squish
+            UPDATE #{settings_table}
+            SET name = #{quote_value(target_name)}
+            WHERE name = #{quote_value(source_name)}
+          SQL
+        end
 
-      private
+        private
 
-      def settings_table
-        @settings_table ||= ActiveRecord::Base.connection.quote_table_name("settings")
-      end
+        def settings_table
+          @settings_table ||= ActiveRecord::Base.connection.quote_table_name("settings")
+        end
 
-      def quote_value(s)
-        ActiveRecord::Base.connection.quote(s)
+        def quote_value(value)
+          ActiveRecord::Base.connection.quote(value)
+        end
       end
     end
   end

diff --git a/docs/development/concepts/secure-coding/README.md b/docs/development/concepts/secure-coding/README.md
@@ -99,7 +99,7 @@ As OpenProject is a web application, the web session is the central mechanism of
 **Guidelines**
 
 - Use Rails' built-in secure session cookies for maintaining the users' session. It incorporates best-practices to ensure strong session tokens, tamper resistance, and proper expiration.
-- Ensure session cookies are marked `secure` and `httponly`, as well as providing the appropriate `SameSite` and expiry flags according to the instance's configuration.
+- Ensure session cookies are marked `secure` and `httponly`, as well as providing the appropriate `SameSite` and expiration flags according to the instance's configuration.
 - Provide a secure logout mechanism that invalidates the session and clears session cookies. Ensure that users are logged out after a period of inactivity.
 - Implement session fixation protection mechanisms to prevent attackers from fixing a user's session to a known value.
 - Prevent storing sensitive unencrypted session information on the client device

diff --git a/docs/installation-and-operations/configuration/README.md b/docs/installation-and-operations/configuration/README.md
@@ -547,7 +547,7 @@ OPENPROJECT_REMOTE__STORAGE__DOWNLOAD__HOST=mybucket.s3.eu-west.amazonaws.com"
 
 When using remote storage for attachments via fog - usually S3 (see [`attachments_storage`](#attachments-storage) option) - each attachment download will generate a temporary URL. This option determines how long these links will be valid.
 
-The default is 21600 seconds, that is 6 hours, which is the maximum expiry time allowed by S3 when using IAM roles for authentication.
+The default is 21600 seconds, that is 6 hours, which is the maximum expiration time allowed by S3 when using IAM roles for authentication.
 
 *default: 21600*
 
@@ -698,7 +698,7 @@ OPENPROJECT_SECURITY__BADGE__DISPLAYED="false"
 * When using `redis`, the following configuration option is relevant:
   * `cache_redis_url`: The URL of the Redis host (e.g., `redis://host:6379`)
 
-* `cache_expires_in`: Expiration time for memcache entries (default: `nil`, no expiry)
+* `cache_expires_in`: Expiration time for memcache entries (default: `nil`, no expiration)
 * `cache_namespace`: Namespace for cache keys, useful when multiple applications use a single memcache server (default: `nil`)
 
 ### Rails asset host

diff --git a/docs/installation-and-operations/configuration/environment/README.md b/docs/installation-and-operations/configuration/environment/README.md
@@ -142,7 +142,7 @@ OPENPROJECT_AUTOLOGIN (default=0) Autologin
 OPENPROJECT_AUTOLOGIN__COOKIE__NAME (default="autologin") Cookie name for autologin cookie
 OPENPROJECT_AUTOLOGIN__COOKIE__PATH (default="/") Cookie path for autologin cookie
 OPENPROJECT_AVAILABLE__LANGUAGES (default=["ca", "cs", "de", "el", "en", "es", "fr", "hu", "id", "it", "ja", "ko", "lt", "nl", "no", "pl", "pt-BR", "pt-PT", "ro", "ru", "sk", "sl", "sv", "tr", "uk", "vi", "zh-CN", "zh-TW"]) Available languages
-OPENPROJECT_AVATAR__LINK__EXPIRY__SECONDS (default=86400) Cache duration for avatar image API responses
+OPENPROJECT_AVATAR__LINK__EXPIRATION__SECONDS (default=86400) Cache duration for avatar image API responses
 OPENPROJECT_BACKUP__ATTACHMENT__SIZE__MAX__SUM__MB (default=1024) Maximum limit of attachment size to include into application backups
 OPENPROJECT_BACKUP__DAILY__LIMIT (default=3) Maximum number of application backups allowed per day
 OPENPROJECT_BACKUP__ENABLED (default=true) Enable application backups through the UI
@@ -153,7 +153,7 @@ OPENPROJECT_BLACKLISTED__ROUTES (default=[]) Blocked routes to prevent access to
 OPENPROJECT_BOARDS__DEMO__DATA__AVAILABLE (default=false) Internal setting determining availability of demo seed data
 OPENPROJECT_BRUTE__FORCE__BLOCK__AFTER__FAILED__LOGINS (default=20) Number of login attempts per user before assuming brute force attack
 OPENPROJECT_BRUTE__FORCE__BLOCK__MINUTES (default=30) Number of minutes to block users after presumed brute force attack
-OPENPROJECT_CACHE__EXPIRES__IN__SECONDS (default=nil) Expiration time for memcache entries, empty for no expiry be default
+OPENPROJECT_CACHE__EXPIRES__IN__SECONDS (default=nil) Expiration time for memcache entries, empty for no expiration be default
 OPENPROJECT_CACHE__FORMATTED__TEXT (default=true) Cache formatted text
 OPENPROJECT_CACHE__MEMCACHE__SERVER (default=nil) The memcache server host and IP
 OPENPROJECT_CACHE__NAMESPACE (default=nil) Namespace for cache keys, useful when multiple applications use a single memcache server
@@ -344,7 +344,7 @@ OPENPROJECT_SELF__REGISTRATION (default=2) Self-registration
 OPENPROJECT_SENDMAIL__ARGUMENTS (default="-i") Arguments to call sendmail with in case it is configured as outgoing email setup
 OPENPROJECT_SENDMAIL__LOCATION (default="/usr/sbin/sendmail") Location of sendmail to call if it is configured as outgoing email setup
 OPENPROJECT_SESSION__COOKIE__NAME (default="_open_project_session") Set session cookie name
-OPENPROJECT_SESSION__TTL (default=120) Session expiry time after inactivity
+OPENPROJECT_SESSION__TTL (default=120) Session expiration time after inactivity
 OPENPROJECT_SESSION__TTL__ENABLED (default=false) Session expires
 OPENPROJECT_SHOW__COMMUNITY__LINKS (default=true) Enable or disable links to OpenProject community instances
 OPENPROJECT_SHOW__PENDING__MIGRATIONS__WARNING (default=true) Enable or disable warning bar in case of pending migrations

diff --git a/docs/installation-and-operations/installation/packaged/openproject-apache-example.conf b/docs/installation-and-operations/installation/packaged/openproject-apache-example.conf
@@ -70,7 +70,7 @@
     </IfModule>
   </Directory>
 
-    # Send expiry headers for assets, that carry an asset id. Assuming, an asset
+    # Send expiration headers for assets, that carry an asset id. Assuming, an asset
     # id is a unix timestamp, which is currently a 10 digit integer. This might
     # change in the far future.
     <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">

diff --git a/docs/release-notes/13/13-2-0/README.md b/docs/release-notes/13/13-2-0/README.md
@@ -99,7 +99,7 @@ Please note that **% Complete** does not adjust automatically when the values of
 - Bugfix: Can not add invited users to existing groups \[[#51679](https://community.openproject.org/wp/51679)\]
 - Bugfix: Project.visible scope slower than it should be \[[#51706](https://community.openproject.org/wp/51706)\]
 - Bugfix: Ongoing meetings are not visible via the Meetings tab in work packages \[[#51715](https://community.openproject.org/wp/51715)\]
-- Bugfix: The Access Token expiry date not updated on refresh for FileStorage tokens \[[#51749](https://community.openproject.org/wp/51749)\]
+- Bugfix: The Access Token expiration date not updated on refresh for FileStorage tokens \[[#51749](https://community.openproject.org/wp/51749)\]
 - Bugfix: Work package share permissions not in Work package permission group \[[#52086](https://community.openproject.org/wp/52086)\]
 - Bugfix: lockVersion missing in payload for API WP form when only having change_work_package_status permission \[[#52089](https://community.openproject.org/wp/52089)\]
 - Bugfix: Status cannot be changed in backlogs when only having change_work_package_status permission \[[#52090](https://community.openproject.org/wp/52090)\]

diff --git a/docs/release-notes/6/6-1-6/README.md b/docs/release-notes/6/6-1-6/README.md
@@ -8,7 +8,7 @@ release_date: 2017-03-20
 
 # OpenProject 6.1.6
 
-The release contains an important security fix regarding session expiry.
+The release contains an important security fix regarding session expiration.
 
 For details on the security fix, take a look at the
 [release news](https://www.openproject.org/blog/openproject-6-1-6-released-security-fix/).

diff --git a/docs/release-notes/7/7-0-3/README.md b/docs/release-notes/7/7-0-3/README.md
@@ -9,7 +9,7 @@ release_date: 2017-06-29
 
 # OpenProject 7.0.3
 
-The release contains an important security fix regarding session expiry
+The release contains an important security fix regarding session expiration
 and several bug fixes.
 
 For details on the security fix, take a look at the [release

diff --git a/docs/security-and-privacy/processing-of-personal-data/README.md b/docs/security-and-privacy/processing-of-personal-data/README.md
@@ -686,7 +686,7 @@ flowchart LR
 
 OpenProject makes use of technical cookies to identity the browser client and/or remember information such as 2FA login state. The core application makes use of these cookies:
 
-| **Cookie name**                                | **Description**                                              | **Expiry**                                                   | **Security flags**                                    | **Implementation**                                           |
+| **Cookie name**                                | **Description**                                              | **Expiration**                                                   | **Security flags**                                    | **Implementation**                                           |
 | ---------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------------- | ------------------------------------------------------------ |
 | `_open_project_session` (name is configurable) | contains the information about the logged in user as well as information stored between requests on the user's choices (e.g. the filters for costs are in part stored there) | Session <br>+ configurable server-sideTTL                  | secure<br>httponly<br>Samesite=Lax<br>encrypted | [Code ref](https://github.com/opf/openproject/blob/release/16.0/config/initializers/session_store.rb#L34-L39) |
 | `autologin` (name is configurable)             | (Optional feature, requires opt-in under Administration > Authentication settings) <br>enables the user to automatically log in again after the session expired (e.g. because the browser was closed). It is set when the user checks the '*Stay logged in*' box in the login form.<br> | Cookie 1 year<br>+ server-side token N days (configurable) | secure<br>httponly<br>Samesite=Lax<br>encrypted | [Code ref](https://github.com/opf/openproject/blob/release/16.0/app/services/users/login_service.rb#L58-L74) |

diff --git a/docs/system-admin-guide/authentication/login-registration-settings/README.md b/docs/system-admin-guide/authentication/login-registration-settings/README.md
@@ -29,7 +29,7 @@ Under the *Login* tab you can adjust following settings:
 
 2. Activate the **session expiration option**. 
 
-3. Set the **duration for inactivity time**, after which a session will expire. Note that any value below 5 will be treated as disabling the session expiry setting.
+3. Set the **duration for inactivity time**, after which a session will expire. Note that any value below 5 will be treated as disabling the session expiration setting.
 
 4. Define whether **user login, name, and mail address** should be logged for all requests.
 

diff --git a/docs/user-guide/account-settings/README.md b/docs/user-guide/account-settings/README.md
@@ -270,11 +270,11 @@ To view and manage your OpenProject sessions navigate to **Account settings** an
 
 ![Sessions management in OpenProject account settings](openproject_account_settings_sessions_management.png)
 
-Here you can view and manage all of your active and remembered sessions in one place. Each row shows the browser, device, expiry date and last connection timestamp. For your current session the “Last connection” column displays **“Current (this device)”**.
+Here you can view and manage all of your active and remembered sessions in one place. Each row shows the browser, device, expiration date and last connection timestamp. For your current session the “Last connection” column displays **“Current (this device)”**.
 
 You can revoke a session at any time by clicking the **×** icon at the end of the row. Hover over the icon to see the **“Revoke”** tooltip. When you click, a confirmation message appears.
 
-Sessions expire automatically according to your instance’s authentication settings. Remembered sessions show their expiry in relative time (for example “in 5 days”).
+Sessions expire automatically according to your instance’s authentication settings. Remembered sessions show their expiration in relative time (for example “in 5 days”).
 
 > [!NOTE]
 > Closing a browser does not necessarily terminate the session. It might still be displayed in the list and will be reactivated if you open the browser. This depends on both your browser's and the OpenProject instance's settings.

diff --git a/lib/api/helpers/attachment_renderer.rb b/lib/api/helpers/attachment_renderer.rb
@@ -134,7 +134,7 @@ def fog_cache_seconds
       end
 
       def avatar_link_expires_in
-        seconds = avatar_link_expiry_seconds
+        seconds = avatar_link_expiration_seconds
 
         if seconds == 0
           nil
@@ -143,8 +143,8 @@ def avatar_link_expires_in
         end
       end
 
-      def avatar_link_expiry_seconds
-        @avatar_link_expiry_seconds ||= OpenProject::Configuration.avatar_link_expiry_seconds.to_i
+      def avatar_link_expiration_seconds
+        @avatar_link_expiration_seconds ||= OpenProject::Configuration.avatar_link_expiration_seconds.to_i
       end
     end
   end

diff --git a/..._project/authentication/session_expiry.rb → ...ject/authentication/session_expiration.rb b/..._project/authentication/session_expiry.rb → ...ject/authentication/session_expiration.rb
@@ -30,7 +30,7 @@
 
 module OpenProject
   module Authentication
-    module SessionExpiry
+    module SessionExpiration
       def session_ttl_enabled?
         Setting.session_ttl_enabled? && Setting.session_ttl.to_i >= 5
       end

diff --git a/lib_static/open_project/authentication/strategies/warden/session.rb b/lib_static/open_project/authentication/strategies/warden/session.rb
@@ -28,7 +28,7 @@
 # See COPYRIGHT and LICENSE files for more details.
 #++
 
-require "open_project/authentication/session_expiry"
+require "open_project/authentication/session_expiration"
 
 module OpenProject
   module Authentication
@@ -39,7 +39,7 @@ module Warden
         # not been unified in terms of Warden strategies and is only locally
         # applied to the API v3.
         class Session < ::Warden::Strategies::Base
-          include ::OpenProject::Authentication::SessionExpiry
+          include ::OpenProject::Authentication::SessionExpiration
 
           def valid?
             # A session must exist and valid