Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #252 (closed defect: fixed)

Opened 13 years ago

Last modified 12 years ago

Identity Session expires regardless of additional requests

Reported by: jchu@… Owned by: Jeff Watkins
Priority: normal Milestone: 0.9
Component: Identity Version:
Severity: normal Keywords:
Cc:

Description

Because the expiry time is stored in the user's cookie and never updated, sessions timeout 20 minutes after login no matter what.

I have a patch to send a new identity cookie for every request.

Strictly speaking, I don't know if we should trust the user to keep the expiry time. Just because it's a cookie doesn't mean the user can't edit it. The expiry doesn't *have* to be stored in the cookie, so why do it? It'd be much better in the db. We could update it when we pull out the SecretToken? from the db, not have to generate a new SecretToken? for every request, and not have to update the user's cookie every request.

Attachments

identity-refresh.patch Download (557 bytes) - added by jchu@… 13 years ago.

Change History

Changed 13 years ago by jchu@…

comment:1 Changed 13 years ago by Jeff Watkins

  • Owner changed from anonymous to Jeff Watkins
  • Summary changed from [PATCH] Logins timeout after 20 minutes (whatever the secrettoken timeout is) to Identity Session expires regardless of additional requests

This is rather more complicated than just resending the cookie. If the browser is configured to confirm each cookie, the visitor will receive a confirmation dialog on each page request. This isn't so cool.

The answer is to remove the expiration from the cookie entirely. The expiration should be stored in the secret token table and tracked separately.

comment:2 Changed 13 years ago by Jeff Watkins

  • Status changed from new to closed
  • Resolution set to fixed

Included in revision r386.

Note: See TracTickets for help on using tickets.