Ticket #10801 (closed PLIP: wontfix)

Opened 6 years ago

Last modified 6 years ago

Add session timeout support to plone.session

Reported by: aclark Owned by: aclark
Priority: minor Milestone: 4.1
Component: Unknown Version:
Keywords: session Cc:

Description (last modified by aclark) (diff)

I have a client that needs to support a session time out policy in Plone. I would like to implement this in plone.session based on a suggestion from Wichert:

05:45 < aclark> anyone have any experience enforcing session times in Plone? 
E.g. forcing logout after X minutes
…
05:47 < wiggy> I can also tell you plone.session does not have an option for it
…
05:48 < wiggy> but it would be trivial to add it if you wanted to
…
05:48 < aclark> wiggy: so branch plone.session to experiment you mean?
05:49 < wiggy> yes
…
05:49 < wiggy> bonus points for making it use z3c.appconfig instead of persistent config
…
05:50 < aclark> yeah down w/persistent config


I have created a branch for this work:  http://svn.plone.org/svn/plone/plone.session/branches/aclark-session-timeout/

And I am currently pondering the implementation, specifically UI vs. config file. The feature itself should be a simple to add:

06:39 < wiggy> aclark:  all you need is a config option and tweak the setCookie call
06:39 < wiggy> aclark:  nothing more required
…
06:39 < wiggy> aclark:  I bet you can do it in 2 extra lines of python
…
06:40 < aclark> wiggy: i could build a UI around it too though right? 
client wants ability to vary the time
06:40 < wiggy> aclark:  personally I would use z3c.appconfig and stick it in a .ini file
06:40 < wiggy> aclark:  but that's me - I refuse to do persistent config anymore, 
it's just not worth the pain
…
06:41 < aclark> might be able to talk them into that, still others will require a TTW UI
06:41 < wiggy> people only think they need it
06:41 < wiggy> but really they don't
06:42 < wiggy> 90% of the plone control panels and ZMI pages are useless imho
06:42 < aclark> i agree in terms of the trade off… in most cases the persistence 
pain makes it not worth it in most cases
…



Change History

comment:1 Changed 6 years ago by aclark

  • Description modified (diff)

comment:2 Changed 6 years ago by aclark

  • Description modified (diff)

comment:3 Changed 6 years ago by aclark

  • Description modified (diff)

comment:4 Changed 6 years ago by ldr

I already added this to  plone.session when I switched it to use mod_auth_tkt style sessions. See the Cookie validity timeout setting. The default is 12 hours.

To use shorter timeouts we would need to implement timeoutRefresh, so the cookie is updated every so often. It's possible to get that behaviour now using mod_auth_tkt and an Apache proxy.

comment:5 Changed 6 years ago by esteele

  • Status changed from new to closed
  • Resolution set to wontfix

This PLIP has been declined for consideration for Plone 4.1.

Framework Team voting on this PLIP was: Alec -1 Craig -1 Elizabeth -1 Laurence -1 Martijn -1 Matthew -1 Rob -1 Ross -.5

The Framework Team felt that the PLIP wasn't clear in what functionality it was proposing beyond what already exists in the existing plone.session package.

Note: See TracTickets for help on using tickets.