How to make session variables persist even after logout ?

[Mandar Vaze]

I have two applications using different versions of web2py

I'm using session variables to store some sort of user preferences.

First one uses version 2.3.2

Here - I set the session variables after user selects their preferences. These values are available even after user logs out and logs back in

This works well for me.

The second one uses version 2.9.5

Here - the code is similar (set session variables when user sets the preferences) - but when the user logs out - the session variables are lost.

So when user logs in again - the preferences are lost

In both cases - sessions are stored on the filesystem (default setup), neither have I modified any expiration values from the default 

I'm assuming this is due to some changes in how web2py handles sessions between 2.3.2 and 2.9.5

Is there a way to retain session variables even after user logs out - in 2.9.5 ?

I have seen suggestions to use cache options - but I would prefer to continue to use session variables (in 2.3.2 this was seemless - just set/get the variables - nothing more)

-Mandar

[Derek]

A session should only be temporary storage related to the current session. If you are storing preferences in user accounts then you should store them with the user accounts, not using a session. I don't see what your problem is.

[Anthony]

Yes, due to a security vulnerability, the behavior was changed -- now by default, a new session ID is created upon either login or logout, and upon logout, the session itself is cleared. The behavior can be controlled with these settings (default values shown):

auth.settings.renew_session_onlogin = True # change session ID
auth.settings.renew_session_onlogout = True # change session ID
auth.settings.keep_session_onlogin = True # keep session content
auth.settings.keep_session_onlogout = False # clear session content

To achieve what you want, do:

auth.settings.keep_session_onlogout = True

Though keeping in mind there may be a security risk if anything in the session should pertain only to the previously logged in user. If you want to keep only particular keys in the session upon logout, then make the setting as shown above, and create an auth.settings.logout_onlogout callback that clears all the keys in the session except those you want to keep.

Note, if necessary, you can also renew the session directly via:

session.renew(clear_session=[True|False])

That is the method called by Auth, depending on the above settings.

Anthony

[Mandar Vaze]

Derek,

May be I misrepresented my scenario - These aren't exactly preferences.

In both the applications - user sees SQLFORM.grid with large number of records. User will use filter to reduce the count.

Depending on the user - user is likely to use same filters for quite some time - across logins/logouts

So these aren't exactly preferences.

I understand that using sessions across login/logout isn't the right thing to do - but since I got that behaviour in 2.3.2 - I want it in current version as well :)

Also - the kind of information I'm storing shouldn't lead to "security issue" AFAIK

What Anthony suggested is helpful.

 

If you are storing preferences in user accounts then you should store them with the user accounts

Can you provide additional details ? Do you mean auth.settings.extra_fields ?

-Mandar

[Massimo Di Pierro]

http://web2py.com/books/default/chapter/29/09/access-control?search=auth.settings.extra_fields

[Derek]

Yes, as Massimo and I have suggested, you should store them in extra_fields. That way they will be associated with the users. Another alternative is to use an extra cookie, but that seems like a waste of bandwidth.