On Apr 25, 2005, at 9:23 AM, Kjetil Kjernsmo wrote:
On mandag 25 april 2005, 17:33, [EMAIL PROTECTED] wrote:Also, even if it did work properly (assuming I'm not doing something wrong here) it seems that the value you set would be relative to the time the session was first created, rather than the time it was last accesed...
Yeah... I haven't read the specs, but I have come to believe that is how
it was designed. I guess you could modify the cookie on each request
and set a new expiry time. Others are welcome to chime in here... I
really have no good answer to this.
Well, I'm a bit leery of relying on the cookie expiry to expire sessions, because this isn't controlled by the server but is rather a function of the client. While it may work quite well, I don't hold most of the browsers running wild on the internet in high regard, and it would be trivial to bypass any session timeout limits by simply tweaking your client-side cookie file.
One could use the <session:get-last-accessed-time/> XSP tag to check if the session should be invalidated with <session:invalidate/>, though this would need to be run on every page. It would be pretty straight-forward to add something like this to the Apache::AxKit::Plugin::BasicSession module to do something along these lines though.
-- Michael Nachbaur <[EMAIL PROTECTED]> http://nachbaur.com/pgpkey.asc
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
