In the past my site has used two variations of login. For internal users with comprehensive access to our database, it has used a conventional email + password implemented via Auth. For a broader population of users who interact with the site to maintain their membership and register for events on their own behalf, I used email in combination with a one time token sent to the email as a call back to validate the user.
In the future I plan to use the email validation for all users. For the convenience of regular users, I will have a 'Remember Me' checkbox when they validate their email address.
When the callback with the one-time token is processed, the session records the login and sets the session expiration:
session.when_expires = request.now + datetime.timedelta(days = 30)
response.cookies['session_id_init']['expires'] = 30*24*3600
However, I find that I have to reset this expiration for each page that is sent to the user:
response.cookies['session_id_init']['expires'] = int((session.when_expires - request.now).total_seconds())
I have tried without sucess to understand the code in gluon/globals to find a way to avoid the need to reset the session cookie expiration with each request?