Forum OpenACS Q&A: ok, here is the real session timeout bug in 3.2

you are fine as long as SessionInfoCacheInterval (I don't think this
is in the default openacs preferences file, but it should be; it's
used in ad-security) is much smaller than SessionCookieReissue.  But
what can happen is, sec_read_security_info reissues the cookie per
SessionCookieReissue, which updates sec_sessions with the new
last_hit value BUT DEFERS THE UPDATE UNTIL THE CONN CLOSES.  Thus
even though it flushes sec_get_session_info, the next call to
sec_get_session_info will reread THE VERY SAME INFORMATION it had
before, i.e. the "old" last_hit value, and unless
SessionInfoCacheInterval expires again before the session timeout
does the user will be asked to login again.

The reason this is such a problem is that it makes "remember me
forever" users relogin as well, since normally sec_read_security_info
provides them with a new session before they'd timeout.  But since
sec_read_security_info uses the last_hit value from the cookie, and
ad_validate_security_info uses the (potentially incorrect) value from
the db cache, they'll get timed out and have to login manually.  (Of
course it needs to use the value from the db, b/c we don't want to
blindly trust the cookie here, but for things to work the value in
the db needs to be correct.)

I don't see any way around this except removing the
ad_defer_dml "cleverness," performing the write immediately so
get_session_info reads the right value.

(The only other use of ad_defer_dml is in ad_set_client_property
which is unused as far as I can tell.)

Hi Jonathan,
I'm using OpenACS 3.x You wrote:

    you are fine as long as SessionInfoCacheInterval... is much smaller than SessionCookieReissue

I just checked my installation and found both values to be 600.

Here are the relevent values:

* SessionCookieReissue 600
* SessionInfoCacheInterval 600
  SessionTimeout 86400
  SessionLifetime 176800
  LastVisitUpdateInterval 600
  AllowPersistentLoginP 1
  PersistentLoginDefaultP 1
  LastVisitCookiesEnabledP 1
  LastVisitExpiration 86400
  LastVisitCacheUpdateInterval 600

What are your recommendations for the two "*" values and the others?

It appears me to be working as is with IE5.5, 6.0 and NS4.x. I do get a regular but small trickle of support email about logon and some difficulties users have with the log on and log off process. A long time ago, I removed the "remember me" checkbox and advised people to click logoff if they are at the cybercafe or at work. Most of our users are on their own home computers.

I've noticed that if you have multiple browsers open, you can have one logged in and another logged out and that the browsers can get confused... and one might not be logged out depending on the order in which browsers are closed. But I'm probably not typical!

TIA
-Bob