On Jun 5, 2007, at 11:02 PM, David K. Hess wrote:
I've tried using Session.lease_time as a session timeout mechanism
and have not good success with it. The behavior is really more of a
session invalidation than a session timeout.
The problem is that it's not clear how to catch a lease expiration
in the code so that you can display an appropriate message; it just
suddenly appears like an unauthenticated user is visiting the page
with a brand new session. This makes it difficult to try and do
friendly things like cache form values and reload them after they
re-authenticate.
I guess I'm looking more for behavior where the current session
doesn't get deleted but goes into a "needs to re-authenticate"
state which is handled by the login machinery and can be detected
by application code.
The application can always compare
get_session().get_access_time() and site_now() and
start bothering the user, or even log the user out by
calling get_session().clear_authentication().
You could do this by writing your own
SitePublisher.fill_response_using_root_directory(),
and that might be the easiest solution.
Alternatively, you could write your own subclass
of Session, and add a SitePublisher.create_session()
that returns an instance of your session class.
That gives you total control of session behavior.
_______________________________________________
QP mailing list
[email protected]
http://mail.mems-exchange.org/mailman/listinfo/qp
