Forum OpenACS Q&A: Re: How to expire session on the server side?

14: Re: How to expire session on the server side? (response to 1)

Posted by Dave Bauer on 08/09/08 10:31 PM

The cookies are sent on every request. As long as the request requires login, the cookie with be compared with the users token and the cookie will be invalid and they will be required to login again.

15: Re: How to expire session on the server side? (response to 14)

Posted by Dave Bauer on 08/09/08 10:40 PM

Phew! I that I was going crazy.

        if { $session_expr - [sec_session_renew] < [ns_time] } {

            # LARS: We abandoned the use of sec_login_handler here. This lets people stay logged in forever                                                    
            # if only they keep requesting pages frequently enough, but the alternative was that                                                                
            # the situation where LoginTimeout = 0 (infinte) and the user unchecks the "Remember me" checkbox                                                  
            # would cause users' sessions to expire as soon as the session needed to be renewed                                                                
            sec_generate_session_id_cookie
        }

This code breaks the sec_change_user_auth_token because it never checks the login auth_token if your session has not expired.

So I lose :) But it is a bug in the sec_handler not in sec_change_user_auth_token. I suggest we fix this instead of some magic code that runs on a future request.