On Fri, 01 Feb 2008 16:42:48 -0000, Diez B. Roggisch <[EMAIL PROTECTED]> wrote:
> Nick Murdoch schrieb: >> >> >> On 31 Jan, 23:16, Paul Johnston <[EMAIL PROTECTED]> wrote: >>> Nick, >>> >>>> I'm just wondering if there's been any update on this, ie, is it yet >>>> possible to have the user automatically logged out when they close >>>> their browser window? >>> It may be possible using javascript and ajax, although such solutions >>> wouldn't be 100% reliable. >>> >>> But I really wouldn't worry about this, it's enough to just provide the >>> user with a logout function and, as a backup, expire sessions after a >>> period of inactivity. I've done security reviews on some very sensitive >>> banking applications, and this approach was good enough for all of >>> them. >> >> Thanks Paul. I suspected as much -- unfortunately it's a client asking >> for this behaviour specifically, so I suspect I'll have to go with the >> hacky javascript option on this one. I'd be quite happy with the >> normal session expiration myself, if it were up to me :) > > Can't cookies be made session-lasting only? I thought so... If someone could point me at the config option for this, that'd be great. I can't see anything anywhere, though... > alternatively, setting the session cookie timeout very short (matter of > minute) and updating it using a background-ajax-request as long as the > app runs might be a more solid solution. That sounds better, yeah! Much better for the client to be asked to log in more often if they don't have JavaScript, than to not log them out if they don't (or browser crashes, etc) Nick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
