Forum OpenACS Q&A: Re: How to expire session on the server side?

Collapse
Posted by Torben Brosten on
Hi Dave,

Without searching for irc chats on the subject, basically I recall 2 situations

First, a project requirement, such as in ecommerce, banking, commercial LAN environments, very public portals that host controversial topcis etc require a user's session to be immediately terminated on request.

Second is this:

Some admins increase the values of LoginTimeout, SessionLifetime, SessionRenew,SessionSweepInterval,SessionTimeout kernel parameters to reduce load, increase usability (require re-login less frequently etc), especially where trusted users are fairly stable after login and system resources are limited.

Anyway, the problem is that at some point, a user gets banned, but then it takes much much longer for the session to expire etc, meanwhile the user is having unauthorized access to the system and may be doing harmful actions.

One way to handle this would be lowering the values, restarting the server, waiting for the user to hopefully use each of the different browser sessions that might be open, and then reset the kernel parameters again and restart the server.. and praying that *all* the banned user's sessions are logged out.

A force_user_logout proc would fix these scenarios.