Keep session open #17
Comments
|
Indeed, we use pyramid.session.SignedCookieSessionFactory, the session timeout is set up to 7h and reissue time is 1h. I can set the session timeout to 30 days and reissue time to 48 h for example, this should be enough. |
|
Ok thanks a lot :) |
|
The change is deployed. |
|
The change I did was for the session cookie, not the auth_tkt cookie. The change didn't make sense for the session cookie, I reverted it. I have to verify, but I think the auth_tkt cookie is set via the pyramid.authentication.AuthTktAuthenticationPolicy that is configured in the includeme of cache/eggs/substanced-1.0a1-py3.4.egg/substanced/sdi/init.py The cookie set is a Session cookie so is removed when you close your browser. |
|
I think we should do a "Remember me" checkbox on the login page, default not checked. When not checked, the authentication cookie last only during the session (this what we have today). When checked, we use a persistent cookie that last 30 days renewed every day. I think we need to have our own authentication policy to do this. |
|
https://pypi.python.org/pypi/pyramid-cubicweb seems to do what I have in mind. It uses pyramid_multiauth.MultiAuthenticationPolicy with 2 policies (modified version of AuthTktAuthenticationPolicy that add a persistent=True|False parameter to the remember method), one with a session cookie named auth_tkt, and another which set a persistent cookie named pauth_tkt. And in the login view, they do remember(persistent=True) to create the persistent cookie. |
Apparently the site is setup to remove the session cookie when the browser or page is closed. I wish it could stay open for 30 days.
The text was updated successfully, but these errors were encountered: