--- a/web/application.py	Thu Apr 15 15:16:01 2010 +0200
+++ b/web/application.py	Thu Apr 15 15:17:18 2010 +0200
@@ -33,14 +33,15 @@
 
     def __init__(self, vreg):
         self.session_time = vreg.config['http-session-time'] or None
-        assert self.session_time is None or self.session_time > 0
-        self.cleanup_session_time = vreg.config['cleanup-session-time'] or 43200
-        assert self.cleanup_session_time > 0
-        self.cleanup_anon_session_time = vreg.config['cleanup-anonymous-session-time'] or 120
+        if self.session_time is not None:
+            assert self.session_time > 0
+            self.session_time *= 60 # convert minutes to seconds
+            self.cleanup_session_time = self.session_time
+        else:
+            self.cleanup_session_time = (vreg.config['cleanup-session-time'] or 1440) * 60
+            assert self.cleanup_session_time > 0
+        self.cleanup_anon_session_time = (vreg.config['cleanup-anonymous-session-time'] or 5) * 60
         assert self.cleanup_anon_session_time > 0
-        if self.session_time:
-            assert self.cleanup_session_time < self.session_time
-            assert self.cleanup_anon_session_time < self.session_time
         self.authmanager = vreg['components'].select('authmanager', vreg=vreg)
 
     def clean_sessions(self):

--- a/web/webconfig.py	Thu Apr 15 15:16:01 2010 +0200
+++ b/web/webconfig.py	Thu Apr 15 15:17:18 2010 +0200
@@ -115,27 +115,28 @@
         ('http-session-time',
          {'type' : 'int',
           'default': 0,
-          'help': 'duration in seconds for HTTP sessions. 0 mean no expiration. '\
-          'Should be greater than RQL server\'s session-time.',
+          'help': "duration in minutes of the cookie used to store session "
+          "identifier. If 0, the cookie will expire when the user exist its "
+          "browser. Should be 0 or greater than repository\'s session-time.",
           'group': 'web', 'inputlevel': 2,
           }),
         ('cleanup-session-time',
          {'type' : 'int',
-          'default': 43200,
-          'help': 'duration in seconds for which unused connections should be '\
-          'closed, to limit memory consumption. This is different from '\
-          'http-session-time since in some cases you may have an unexpired http '\
-          'session (e.g. valid session cookie) which will trigger transparent '\
-          'creation of a new session. In other cases, sessions may never expire \
-          and cause memory leak. Should be smaller than http-session-time, '\
-          'unless it\'s 0. Default to 12 h.',
+          'default': 1440,
+          'help': 'duration of inactivity in minutes after which a connection '
+          'will be closed, to limit memory consumption (avoid sessions that '
+          'never expire and cause memory leak when http-session-time is 0). '
+          'So even if http-session-time is 0 and the user don\'t close his '
+          'browser, he will have to reauthenticate after this time of '
+          'inactivity. Default to 24h.',
           'group': 'web', 'inputlevel': 2,
           }),
         ('cleanup-anonymous-session-time',
          {'type' : 'int',
-          'default': 120,
-          'help': 'Same as cleanup-session-time but specific to anonymous '\
-          'sessions. Default to 2 min.',
+          'default': 5,
+          'help': 'Same as cleanup-session-time but specific to anonymous '
+          'sessions. You can have a much smaller timeout here since it will be '
+          'transparent to the user. Default to 5min.',
           'group': 'web', 'inputlevel': 2,
           }),
         ('force-html-content-type',