--- a/web/application.py Thu Apr 15 15:16:01 2010 +0200
+++ b/web/application.py Thu Apr 15 15:17:18 2010 +0200
@@ -33,14 +33,15 @@
def __init__(self, vreg):
self.session_time = vreg.config['http-session-time'] or None
- assert self.session_time is None or self.session_time > 0
- self.cleanup_session_time = vreg.config['cleanup-session-time'] or 43200
- assert self.cleanup_session_time > 0
- self.cleanup_anon_session_time = vreg.config['cleanup-anonymous-session-time'] or 120
+ if self.session_time is not None:
+ assert self.session_time > 0
+ self.session_time *= 60 # convert minutes to seconds
+ self.cleanup_session_time = self.session_time
+ else:
+ self.cleanup_session_time = (vreg.config['cleanup-session-time'] or 1440) * 60
+ assert self.cleanup_session_time > 0
+ self.cleanup_anon_session_time = (vreg.config['cleanup-anonymous-session-time'] or 5) * 60
assert self.cleanup_anon_session_time > 0
- if self.session_time:
- assert self.cleanup_session_time < self.session_time
- assert self.cleanup_anon_session_time < self.session_time
self.authmanager = vreg['components'].select('authmanager', vreg=vreg)
def clean_sessions(self):
--- a/web/webconfig.py Thu Apr 15 15:16:01 2010 +0200
+++ b/web/webconfig.py Thu Apr 15 15:17:18 2010 +0200
@@ -115,27 +115,28 @@
('http-session-time',
{'type' : 'int',
'default': 0,
- 'help': 'duration in seconds for HTTP sessions. 0 mean no expiration. '\
- 'Should be greater than RQL server\'s session-time.',
+ 'help': "duration in minutes of the cookie used to store session "
+ "identifier. If 0, the cookie will expire when the user exist its "
+ "browser. Should be 0 or greater than repository\'s session-time.",
'group': 'web', 'inputlevel': 2,
}),
('cleanup-session-time',
{'type' : 'int',
- 'default': 43200,
- 'help': 'duration in seconds for which unused connections should be '\
- 'closed, to limit memory consumption. This is different from '\
- 'http-session-time since in some cases you may have an unexpired http '\
- 'session (e.g. valid session cookie) which will trigger transparent '\
- 'creation of a new session. In other cases, sessions may never expire \
- and cause memory leak. Should be smaller than http-session-time, '\
- 'unless it\'s 0. Default to 12 h.',
+ 'default': 1440,
+ 'help': 'duration of inactivity in minutes after which a connection '
+ 'will be closed, to limit memory consumption (avoid sessions that '
+ 'never expire and cause memory leak when http-session-time is 0). '
+ 'So even if http-session-time is 0 and the user don\'t close his '
+ 'browser, he will have to reauthenticate after this time of '
+ 'inactivity. Default to 24h.',
'group': 'web', 'inputlevel': 2,
}),
('cleanup-anonymous-session-time',
{'type' : 'int',
- 'default': 120,
- 'help': 'Same as cleanup-session-time but specific to anonymous '\
- 'sessions. Default to 2 min.',
+ 'default': 5,
+ 'help': 'Same as cleanup-session-time but specific to anonymous '
+ 'sessions. You can have a much smaller timeout here since it will be '
+ 'transparent to the user. Default to 5min.',
'group': 'web', 'inputlevel': 2,
}),
('force-html-content-type',