I guess that's the reason which I can still access the logged-in page
after closing and launching the browser. This will not happen when only
session is created, and a new session will be generated after access the
site again by launching the browser.
Anthony Chee wrote:
Thanks for your reply. I would like to provide more information on this
I have the following code,
$self->session_config(
CGI_SESSION_OPTIONS => ["driver:file;serializer:yaml",
$self->query,
{
Directory => $self->param('serverRoot')
. 'tmp',
}
],
DEFAULT_EXPIRY => '+1m',
);
$self->authen->config(
DRIVER => [.......],
STORE => 'Session',
LOGIN_SESSION_TIMEOUT => '1m',
);
What I supposed is I use session to store the user information, as I
used STORE => 'Session', but my browser received the cookie from the
server and with content CGISESSION, expiry time is 1m. Session is also
created on server tmp directory, also 1m expiry time. It is so
strange. Is it normal?
Regards,
Anthony
Cees Hek wrote:
On 8/10/06, Anthony Chee <[EMAIL PROTECTED]> wrote:
I would like to ask how the two parameters mentioned co-operate
together. Are they overlapped on the functionality?
I tried to set IDLE_FOR is 30m and _SESSION_ETIME is 10m for the
program. I discovered that I can still access the logged-in page after
closing the browser, skipping the normal logout procedure, and
accessing
the system again. Is it normal? How should I config the two parameters
if I want to ignore the old session when accessing the system again
after closing the browser?
There is no way for the server to know that you closed your
browser,and then started it up again. To guess that this happened we
usually use 'browser session' cookies which have no fixed expiry set.
That means that the browser is supposed to clear that cookie when the
browser closes, but to keep it for ever if the browser stays open.
So when you set an expiry on your CAP::Session, the cookie gets an
expiry time, which means it does not act as a 'browser session'
cookie, so when you close the browser, the cookie gets saved to disk,
and the next time you open your browser, the cookie is loaded back in
(unless the exiry time has passed).
So if you set an expiry on your CAP::Session closing the browser does
nothing.
The IDLE_FOR parameter sets an expiry on one of the parameters in your
CAP::Session. It basically tells it that this parameter is only good
for 10 minutes. But on every request, it resets that timeout, since
the user is not idle and has another 10 minutes to go.
So I guess what you want is to remove any expiry on the CAP::Session
configuration, and just use the expiries in the Authen configuration.
Let me know if that works for you.
Cheers,
Cees
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[email protected]/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[email protected]/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
