Identity: delete cookie on browser close
3 views
Skip to first unread message
soya...@gmail.com
Nov 6, 2005, 11:05:23 AM11/6/05
to TurboGears
Hi,
I'm just playing with the identity part of TurboGears and found that I
don't know how to set the identity cookie to last only until the
browser is closed.
Reading some code I found identity.session.timeout, but setting this to
0 just invalidates the login cookie inmediately.
Have I missed some obvious way to do this?
Sean Cazzell
Nov 6, 2005, 4:39:40 PM11/6/05
to turbo...@googlegroups.com
No, you haven't missed anything - it isn't possible right now without
changes to the identity code. The good news is the identity code is
still under heavy development and this sort of thing will be easy to do
in the near future (by 1.0 for sure).
For now, you could delete this line in
identity.filter.send_identity_cookie:
cookies[self.provider.identity_cookie]['expires']= timeout
Sean Cazzell
changes to the identity code. The good news is the identity code is
still under heavy development and this sort of thing will be easy to do
in the near future (by 1.0 for sure).
For now, you could delete this line in
identity.filter.send_identity_cookie:
cookies[self.provider.identity_cookie]['expires']= timeout
Sean Cazzell
Jeff Watkins
Nov 6, 2005, 5:29:43 PM11/6/05
to turbo...@googlegroups.com
This raises an interesting point: I think the Identity framework
should have separate time-out values for the cookie and the identity
session. I think the cookie should default to not having a time out,
hence it will be deleted when the browser quits. The identity session
will still have a 20 minute lifetime.
There are a number of other little tweaks I want to add to the
Identity framework's:
* Ability to specify the host and path for the cookie
* Ability to tie a session cookie to the visitor's IP address
* Adding the current identity to the variable provider for template
access
I got distracted with other work this weekend, but I'd like to get
these features included in the next few days.
--
Jeff Watkins
http://newburyportion.com/
"Not everything that can be counted counts, and not everything that
counts can be counted."
-- Albert Einstein
should have separate time-out values for the cookie and the identity
session. I think the cookie should default to not having a time out,
hence it will be deleted when the browser quits. The identity session
will still have a 20 minute lifetime.
There are a number of other little tweaks I want to add to the
Identity framework's:
* Ability to specify the host and path for the cookie
* Ability to tie a session cookie to the visitor's IP address
* Adding the current identity to the variable provider for template
access
I got distracted with other work this weekend, but I'd like to get
these features included in the next few days.
Jeff Watkins
http://newburyportion.com/
"Not everything that can be counted counts, and not everything that
counts can be counted."
-- Albert Einstein
Benoit Masson
Nov 6, 2005, 6:23:03 PM11/6/05
to turbo...@googlegroups.com
By the way:
http://metrocat.org/nerd/ is down I posted a discussion post about
how to logout a user ? What is the method to remove let the user
click the "logout" for removing the user session
Benoit
Le 6 nov. 05 à 23:29, Jeff Watkins a écrit :
http://metrocat.org/nerd/ is down I posted a discussion post about
how to logout a user ? What is the method to remove let the user
click the "logout" for removing the user session
Benoit
Le 6 nov. 05 à 23:29, Jeff Watkins a écrit :
Sean Cazzell
Nov 6, 2005, 6:33:10 PM11/6/05
to turbo...@googlegroups.com
Jeff,
I think I see where you are going with the separate timeouts - that way
the login expires when the browser is closed or the session times out.
What do you think about resetting the session timeout on each request?
That way the timeout really becomes an idle timeout. This is how banks
handle sessions and it seems to strike the right balance between
security and convenience.
Can we also add a checkbox to the login form along the lines of
"remember my login" and then adjust the timeout accordingly?
I would like to be able to set things up so logins expire after ~10
minutes of idle time (or when the browser is closed) if "remember login"
isn't checked, and expire after some really long period if it is.
Sean Cazzell
I think I see where you are going with the separate timeouts - that way
the login expires when the browser is closed or the session times out.
What do you think about resetting the session timeout on each request?
That way the timeout really becomes an idle timeout. This is how banks
handle sessions and it seems to strike the right balance between
security and convenience.
Can we also add a checkbox to the login form along the lines of
"remember my login" and then adjust the timeout accordingly?
I would like to be able to set things up so logins expire after ~10
minutes of idle time (or when the browser is closed) if "remember login"
isn't checked, and expire after some really long period if it is.
Sean Cazzell
Reply all
Reply to author
Forward
0 new messages