2010/11/29 Andreas Jung <[email protected]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We have the requirement within a project that a Plone user should > be logged off automatically after N minutes of inactivity (means > the authentication cookie should expire after N minutes). > > CookieAuthHelper.updateCredentials() is in charge for the initial > setting of the authentication cookie. Adding an expiration date here > would not be the deal. However the authentication cookie > must be set with an updated expiration date upon every request (in order > to reset the inactivity timer to zero). Is there some way for hooking > this functionality properly into PAS? Otherwise I would have to > hack the ZPublisher somehow...(perhaps using Publisher events...).
On Plone, CookieAuthHelper (or rather the PlonePAS subclass, ExtendedCookieAuthHelper) is only responsible for Challenge and Extraction. plone.session is responsible for Update Credentials. Setting an expiration date on an authentication cookie makes it persistent, so if a user closes their browser they will not be logged out. Instead, plone.session includes the issue time and has a cookie validity setting that limits the validity of any issued cookie. For keeping the cookie up to date you have two options. 1. Put it in mod_auth_tkt compatibility mode and configure Apache to refresh the cookies for you. 2. Add the extensions profile that adds a CSS refresh url to the CSS registry, along with some javascript so a user is not logged out while they are active on a page. (This is new in plone.session 3.1 which will be in Plone 4.1, but is compatible back to Plone 3.2). Documentation at http://pypi.python.org/pypi/plone.session/3.1 Laurence _______________________________________________ Zope-CMF maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
