Re: [cgiapp] Co-operation of LOGIN_SESSION_TIMEOUT - IDLE_FOR in CAP::Authentication and the _SESSION_ETIME in the session?

[Anthony Chee <suppressed>]

Thanks for your reply. I would like to provide more information on this

I have the following code,

$self->session_config(
           CGI_SESSION_OPTIONS => ["driver:file;serializer:yaml", 
$self->query,
                           {
                               Directory => $self->param('serverRoot') 
. 'tmp',
                           }
                                          ],
           DEFAULT_EXPIRY => '+1m',
       );

$self->authen->config(
           DRIVER    => [.......],
           STORE => 'Session',
           LOGIN_SESSION_TIMEOUT => '1m',
       );

What I supposed is I use session to store the user information, as I 
used STORE => 'Session', but my browser received the cookie from the 
server and with content CGISESSION, expiry time is 1m. Session is also 
created on server tmp directory, also 1m expiry time. It is so strange. 
Is it normal?

Regards,
Anthony

Cees Hek wrote:
> On 8/10/06, Anthony Chee <suppressed> wrote:
> > I would like to ask how the two parameters mentioned co-operate
> > together. Are they overlapped on the functionality?
> >
> > I tried to set IDLE_FOR is 30m and _SESSION_ETIME is 10m for the
> > program. I discovered that I can still access the logged-in page after
> > closing the browser, skipping the normal logout procedure, and accessing
> > the system again. Is it normal? How should I config the two parameters
> > if I want to ignore the old session when accessing the system again
> > after closing the browser?
>
> There is no way for the server to know that you closed your
> browser,and then started it up again.  To guess that this happened we
> usually use 'browser session' cookies which have no fixed expiry set.
> That means that the browser is supposed to clear that cookie when the
> browser closes, but to keep it for ever if the browser stays open.
>
> So when you set an expiry on your CAP::Session, the cookie gets an
> expiry time, which means it does not act as a 'browser session'
> cookie, so when you close the browser, the cookie gets saved to disk,
> and the next time you open your browser, the cookie is loaded back in
> (unless the exiry time has passed).
>
> So if you set an expiry on your CAP::Session closing the browser does 
> nothing.
>
> The IDLE_FOR parameter sets an expiry on one of the parameters in your
> CAP::Session.  It basically tells it that this parameter is only good
> for 10 minutes.  But on every request, it resets that timeout, since
> the user is not idle and has another 10 minutes to go.
>
> So I guess what you want is to remove any expiry on the CAP::Session
> configuration, and just use the expiries in the Authen configuration.
>
> Let me know if that works for you.
>
> Cheers,
>
> Cees



---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed