Forum OpenACS Development: Re: Logout on browser close, missing important feature!

Collapse
Posted by Andrew Piskorski on
AFAIR OpenACS has always supported "logout on browser close". If the site does not allow persistent logins, then closing the browser will effectively log you out, no? I have not tested that feature in years but I recall it working that way.

Or do you mean something different, like a setting that individual users can change to control if/when they get logged out?

Collapse
Posted by Dave Bauer on
Andrew,

Nope. Persistent login does not behave that way because 1) the login cookie timout parameter has a default value. You can not set it to an empty string to create a session cookie.
So you always have a 1 day persistent cookie unless you set it to a different value. If your login times out AND your session times out, you do have to login again, but it is unrelated to the browser.

2) Due to changes made ages ago, even if the ad_user_login cookie could be a session cookie, if you have an ad_session_id cookie, it will refresh your session if it is within the session timeout even if you don't have a login cookie.

So there are two changes. 1) allow the logintimeout parmeter to have an empty string value. 2) Allow the session handler to deal with a missing login cookie appropriately, if login timeout is an empty string.

I think this patch does that :)

Of course Firfox makes this all more interesting, becuase if you have a tab open with your openacs site and you either have the Open my tabs option selected or firefox askes you if you want to save the open tabs on close, it will ALSO save you session cookies and keep them around, so you won't be logged out, even with a session cookie. So not only do you need to change the code, but users will need to understand how this works in Firefox. To combat this I also have a reasonbly short session timeout of 1 hour. Less than that and users might be annoyed.