That looks similar to what I';m doing. I have three session timeouts: - default: 1 minute for bots that never go beyond one request. Response has a "Login" button. - unauthenticated: 10 minutes. While the user is logging in at the OAuth2 server. - authenticated: 1-8 hours. Logged-in user.
When the user logs out, I switch back to the unauthenticated timeout and display the "Login" button. I use 'adjust_timeout_for_session' to switch between the three states. I added config variables for the second two timeouts. I use session cookies so I don't set a cookie expiration; it just expires when the browser exits. My organization discourages persistent cookies for privacy reasons. On Wed, Sep 23, 2020 at 11:45 AM Zsolt Ero <zsolt....@gmail.com> wrote: > > Just for reference I'd like to post what worked for me. Thanks for the > detailed help. > > Finally I've settled on the following values: > ``` > redis.sessions.secret = xxx > redis.sessions.cookie_max_age = 315360000 # 10 years, basically forever > redis.sessions.timeout = 1800 > redis.sessions.cookie_secure = True > redis.sessions.cookie_httponly = True > redis.sessions.cookie_samesite = lax > ``` > > login: > ``` > headers = remember(request, user.id) > > redis_timeout = 3600 * 24 * 365 # one year in Redis > request.session.adjust_timeout_for_session(redis_timeout) > > return HTTPFound(location=next, headers=headers) > ``` > > I've thought about it and analyzed it and come up with the solution that this > will work well for my usecase. I've never experienced any problem with the > previous version of the library with similar values, which have created way > more sessions then this one, as this only creates a session when it's > actually needed on a login/registration page, leaving home page, etc. > session-less. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/CAKw-smCUE%3DwgPfvFLpR9%2B21r_2gey27hHYopxOK43LYzHor76w%40mail.gmail.com. -- Mike Orr <sluggos...@gmail.com> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DupuG4f09VX1_76xwMj_D0zzzeO_XO7RCFo66ZUtxQak7Q%40mail.gmail.com.