It's apparently possible to extend/override the Auth features with subclassing, however Web2py has some "onlogin/onlogout" features that may work for you. This thread touches on both: https://groups.google.com/forum/#!searchin/web2py/MyAuth$20login/web2py/73jbzK8Sy-w/oYNXuMxw35gJ
Session expiration: http://web2py.com/book/default/chapter/08?search=login+session+expiration+time The admin app seems to have something more elaborate: http://code.google.com/p/web2py/source/browse/applications/admin/models/access.py
