(This is related to security issue - I've explained the security issue in
detail to Massimo and anthony separately)
I want the session to be "invalid" as soon as after user logs out (as well
as after certain period of inactivity)
This is "supposed to be" default behaviour - but somehow doesn't work.
I explictly called session.renew() on logout - but that seems to "clear"
the session Storage() object (dict) from the memory, but the session file
on the disk remains.
What I want is something like sessions2trash.py script - except that file
should deleted right away - even if the session has *not* expired.
Currently I'm using something like following. *Please suggest correct way
to handle this* (I know this works only for file based sessions, but that
is OK)
def post_logout(user):
try:
import os
os.unlink(response.session_filename) # Clear the session from disk
except OSError:
pass
session.renew(clear_session=True) # Clear the memory/Storage object.
auth.settings.logout_onlogout = post_logout
I can't call session.renew() before unlink - since original
session_filename is lost on renew
-Mandar
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
