On Mon, 2011-09-05 at 15:25 +0000, Dan Sommers wrote: > On Sat, 03 Sep 2011 12:00:27 -0700, cd34 wrote: > > > Can you run LiveHeaders in firefox and see if it is actually resetting > > the cookie when you log out the first time? > > With timeout and max_age set to 12000 and reissue_time set to 120, I > logged in, waited more than two minutes (i.e., longer than reissue_time), > and then logged out. What I saw was the old cookie being removed and a > new one being issued, all in the same response. > > So it looks like the re-issue mechanism is interfering with the logout/ > forget mechanism. I can log out over and over and over again and keep > getting re-issued cookies. > > When I don't include a reissue_time in my AuthTktAuthenticationPolicy, I > get the correct behavior (i.e., log in, wait, log out, and no new cookie). > > If I'm missing something about the reissue_time parameter, then by all > means, whack me with a clue-stick and fill me in. Or if this is a bug, > then I'll be glad to file a bug report (not glad because there is a bug, > of course, but glad that I can in some way contribute).
Sounds like a bug. I've added an issue you can track here: https://github.com/Pylons/pyramid/issues/262 -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
