On Mon, 2004-05-17 at 14:58, Steve Jibson wrote:
> We're using ExUserFolder for authentication.  We have it set to log 
> users out after 10 minutes.  We have sessions set to expire after 20 
> minutes.  So, in theory, it should never happen.

Are you sure that their auth really does time out after exactly 10
minutes?  10 minutes of inactivity?  Is it based on a cookie timeout? 
Does it reset the cookie on every request?  This relies on assuming all
browsers respect the cookie timeout adequately at that resolution, as
well.  I don't know how well various browsers do this.

>   Also, since my last 
> Zope restart (3hr 30min), I've had 57 users let their authentication 
> timeout and then access the site (forcing another login), and still no 
> errors with session.  (It's still using FileStorage).

It might be pedantic, but I still think relying on the auth timeout
behavior is wrong.  Instead, of populating initial session data at login
time, a bit of code called from your main template should probably do
something like "if not context.session_data_manager.hasSessionData():
... populate session data based on auth info...".  Or maybe an access
rule that does the same thing (might be tricky though, I haven't tested
that well).

The "right thing" to do here might be to use an auth product that stores
auth info in a session; that would isolate the problem nicely because
there wouldn't be competing timeouts.  Apparently someone has coded one
up as SessionCrumbler somwhere.

The fact that it "works" under FileStorage is curious, but might be a
coincidence too.  Lots of machinery here. ;-)

> > A small reproducible test case would help if you still believe this
> > error is not in your own application.
> > 
> I'm sure you know by now that this is easier said than done.

Sure.  I've spent god knows how long doing it. ;-)

>   Over the 
> past few weeks, I've probably put close to 30 hours into just trying to 
>   reproduce (on demand) these session errors.  I'll probably want to 
> look at the test rig you and Michael have been using.

Yes, although that doesn't do any data validity checks, AFAIK.  It would
be interesting to try to extend it to do so.

You might also want to consider running Zope with the Z_TOC_DEBUG envvar
set to true.  This spews out a bunch of messages to the error log for
each session access.  Coupled with a log message noting when someone
logs in *and their browser id*, this could provide clues.

- C

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to