Ticket #10801 (closed PLIP: wontfix)
Add session timeout support to plone.session
Reported by: | aclark | Owned by: | aclark |
---|---|---|---|
Priority: | minor | Milestone: | 4.1 |
Component: | Unknown | Version: | |
Keywords: | session | Cc: |
Description (last modified by aclark) (diff)
I have a client that needs to support a session time out policy in Plone. I would like to implement this in plone.session based on a suggestion from Wichert:
05:45 < aclark> anyone have any experience enforcing session times in Plone? E.g. forcing logout after X minutes … 05:47 < wiggy> I can also tell you plone.session does not have an option for it … 05:48 < wiggy> but it would be trivial to add it if you wanted to … 05:48 < aclark> wiggy: so branch plone.session to experiment you mean? 05:49 < wiggy> yes … 05:49 < wiggy> bonus points for making it use z3c.appconfig instead of persistent config … 05:50 < aclark> yeah down w/persistent config
I have created a branch for this work: http://svn.plone.org/svn/plone/plone.session/branches/aclark-session-timeout/
And I am currently pondering the implementation, specifically UI vs. config file. The feature itself should be a simple to add:
06:39 < wiggy> aclark: all you need is a config option and tweak the setCookie call 06:39 < wiggy> aclark: nothing more required … 06:39 < wiggy> aclark: I bet you can do it in 2 extra lines of python … 06:40 < aclark> wiggy: i could build a UI around it too though right? client wants ability to vary the time 06:40 < wiggy> aclark: personally I would use z3c.appconfig and stick it in a .ini file 06:40 < wiggy> aclark: but that's me - I refuse to do persistent config anymore, it's just not worth the pain … 06:41 < aclark> might be able to talk them into that, still others will require a TTW UI 06:41 < wiggy> people only think they need it 06:41 < wiggy> but really they don't 06:42 < wiggy> 90% of the plone control panels and ZMI pages are useless imho 06:42 < aclark> i agree in terms of the trade off… in most cases the persistence pain makes it not worth it in most cases …
Change History
comment:4 Changed 6 years ago by ldr
I already added this to plone.session when I switched it to use mod_auth_tkt style sessions. See the Cookie validity timeout setting. The default is 12 hours.
To use shorter timeouts we would need to implement timeoutRefresh, so the cookie is updated every so often. It's possible to get that behaviour now using mod_auth_tkt and an Apache proxy.
comment:5 Changed 6 years ago by esteele
- Status changed from new to closed
- Resolution set to wontfix
This PLIP has been declined for consideration for Plone 4.1.
Framework Team voting on this PLIP was: Alec -1 Craig -1 Elizabeth -1 Laurence -1 Martijn -1 Matthew -1 Rob -1 Ross -.5
The Framework Team felt that the PLIP wasn't clear in what functionality it was proposing beyond what already exists in the existing plone.session package.