Forum OpenACS Development: Session expiration

Collapse
1: Session expiration
Posted by Enrique Catalan on 05/11/12 06:44 PM
Hi,

I'm wondering how you're handling expired sessions, Do you notify users that session is expired ?. We'd like to show some kind of feedback whether the session is about to expire or that session is already expired. I found a thread about a similar issue but it was about how to expire sessions from server-side which was useful.

I've found in the latest Openacs version of sec_handler ( http://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/acs-tcl/tcl/security-procs.tcl?u=3&r=1.72 ) , that when the sessions expire, the sec_handler logs out the user using the ad_user_logout proc, which blanks the cookies and this causes the system to loose track if the user had a session.

I'm just wondering if there is a specific reason of not validating in the sec_handler the session and set the auth_level to expired, then redirect the user to the login page and check here if the session has expired and show the respective feedback message. What do you think?

Thanks

Collapse
2: Re: Session expiration (response to 1)
Posted by Enrique Catalan on 05/23/12 07:07 PM
Hi,

In OpenACS HEAD, LoginTimeOut doesn't seem to work well. SessionTimeOut works ok though as well as SessionRenew and SessionSweepInterval

According to https://openacs.org/doc/security-requirements.html , The definition of Persistent Login is to login the user forever. Do you think would be a good idea to use a parameter to expire the persistent login? (for example, use SessionLifeTime? ). gmail seems to have 2-week-persistent login policy and in OpenACS SessionLifeTime is 1 week by default.

One more question is, Is there any reason why the values of cookies are not encrypted ?

We're working on a patch to fix the LoginTimeOut issue and improve the SessionTimeOut showing a feedback message to the user. However, I'd like to know if you're ok if we check SessionLifeTime to expire the persistent-login or have better ideas?

Thanks

Collapse
3: Re: Session expiration (response to 1)
Posted by Torben Brosten on 05/23/12 11:29 PM
Enrique Catalan,

Regarding secure cookies, perhaps Dave Bauer can report: https://openacs.org/forums/message-view?message_id=1509515

Beyond that, your questions seem valid. Hopefully someone with experience working on this will answer your questions.

cheers,

Torben

Collapse
4: Re: Session expiration (response to 1)
Posted by Enrique Catalan on 05/24/12 11:31 AM
Thanks for the quick reply Torben. As well as your link states, a couple of years ago we had an external security audit and had to enhance the way cookies were managed. Dave's patch was very useful when using secure connections and also to get a better understanding of the sec handler, session cookies and login cookies.