Jeff, I think I see where you are going with the separate timeouts - that way the login expires when the browser is closed or the session times out.
What do you think about resetting the session timeout on each request? That way the timeout really becomes an idle timeout. This is how banks handle sessions and it seems to strike the right balance between security and convenience. Can we also add a checkbox to the login form along the lines of "remember my login" and then adjust the timeout accordingly? I would like to be able to set things up so logins expire after ~10 minutes of idle time (or when the browser is closed) if "remember login" isn't checked, and expire after some really long period if it is. Sean Cazzell On Sun, 2005-11-06 at 17:29 -0500, Jeff Watkins wrote: > This raises an interesting point: I think the Identity framework > should have separate time-out values for the cookie and the identity > session. I think the cookie should default to not having a time out, > hence it will be deleted when the browser quits. The identity session > will still have a 20 minute lifetime. > > There are a number of other little tweaks I want to add to the > Identity framework's: > > * Ability to specify the host and path for the cookie > * Ability to tie a session cookie to the visitor's IP address > * Adding the current identity to the variable provider for template > access > > I got distracted with other work this weekend, but I'd like to get > these features included in the next few days. > > On 6 Nov, 2005, at 4:39 pm, Sean Cazzell wrote: > > > > > No, you haven't missed anything - it isn't possible right now without > > changes to the identity code. The good news is the identity code is > > still under heavy development and this sort of thing will be easy > > to do > > in the near future (by 1.0 for sure). > > > > For now, you could delete this line in > > identity.filter.send_identity_cookie: > > > > cookies[self.provider.identity_cookie]['expires']= timeout > > > > > > Sean Cazzell > > > > On Sun, 2005-11-06 at 08:05 -0800, [EMAIL PROTECTED] wrote: > >> Hi, > >> > >> I'm just playing with the identity part of TurboGears and found > >> that I > >> don't know how to set the identity cookie to last only until the > >> browser is closed. > >> > >> Reading some code I found identity.session.timeout, but setting > >> this to > >> 0 just invalidates the login cookie inmediately. > >> > >> Have I missed some obvious way to do this? > >> > > > > -- > Jeff Watkins > http://newburyportion.com/ > > "Not everything that can be counted counts, and not everything that > counts can be counted." > -- Albert Einstein > >
