Forum OpenACS Development: Re: Expired Cookie

Collapse
5: Re: Expired Cookie (response to 4)
Posted by Malte Sussdorff on
I think this is due to the fact that the session cookie has expired but the user cookie hasn't. So when you visit back the site the user cookie is still valid, but the session one isn't so you are asked to login again. This is on *any* page that requires a permission check.

It should be changed that the user is only required to enter his password if the public does not have read access. If the user has more functionality on the page when logged in, he would realize that and login, doesn't he?

It requires a TIP anyway, but maybe people can post their opinion about this? I usually get annoyed when I have to login to cognovis.de just to view our developer pages, even if I do not want to edit them.

Personally I could envision the following change. Add a user cookie lifetime parameter to acs-kernel which allows you to expire the user cookie as well. If someone wants the current behavior, just leave it at "0" which is the default. If someone wants the user to expire when the session does, set the lifetime to the amount of the session.

Makes sense ?

Collapse
6: Re: Expired Cookie (response to 5)
Posted by Tom Jackson on
This setup was developed before browsers started remembering your login details. A better practice would be to eliminate the user cookie completely and use the opaque session cookie to get the information. Maybe cache it in an nsv array.

If the OACS system maintains session data, it would be easy to add certain functionality: admin delete of a current session, forcing re-login, and user delete, preventing future use of a session (replay attack). You could also create a temporary read-only system by flushing all session data and disabling the login page. Maybe some of this is already available.