Hi, We're using Zope 2.8.8 with a bunch of client sites set up in various sub directories / databases. We're using ZEO for the database storage and a local zodb file for the temporary data. I've recently been asked to set the system to user sessions time out after 15 minutes of activity. I've changed the setting in our zope.conf file (the session timeout value) and restarted zope. However, if I open a page on the site that requires logon and log in, then leave the browser alone for 15 or 20 minutes or even an hour, when I click on a link, it doesn't force me to re-authenticate... it just works as normal. I'm hoping someone could tell me if there's other stuff I need to do to make the session time out and force reauthentication at the server level (rather than having to add code to every user site, as we have over 500 different ones and I'm not sure there's something common enough for me to hook into if I have to alter code on the sites themselves to enable this. It's okay if I get back a response that it can't be done, but I have to be able to provide my boss with a difinitive answer. Thank You, Robin Sale ===================================== Robin Sale, Software Engineer Specialized Technology Resources, Inc. 10 Water Street Enfield CT 06082-4899 USA robin.sale@strus.com ICQ: 190327116 +1 860 749-8371 Ext. 336 Telephone +1 860 749-9158 Fax
--On 25. Januar 2007 09:59:44 -0500 "Sale, Robin" <Robin.Sale@strus.com> wrote:
Hi,
We're using Zope 2.8.8 with a bunch of client sites set up in various sub directories / databases. We're using ZEO for the database storage and a local zodb file for the temporary data.
I've recently been asked to set the system to user sessions time out after 15 minutes of activity. I've changed the setting in our zope.conf file (the session timeout value) and restarted zope. However, if I open a page on the site that requires logon and log in, then leave the browser alone for 15 or 20 minutes or even an hour, when I click on a link, it doesn't force me to re-authenticate... it just works as normal.
You can configure the session timeout and the max. number of session objects. Perhaps you have more user sessions than configured so some sessions might be deleted before the timeout? Andreas
Andreas, thank you for replying. Actually, the problem I have is the reverse - the sessions NEVER seem to time out. I have a directive from up on high to make it so that 15 minutes of inactivity within any location on the site (All of which is password protected under acl_users or acl_users(group aware) setup.) It seems like no matter what I do to the session-timeout-minutes value in zope.conf, as long as the user keeps their browser open, they can continue to use the site even if they are idle for an hour or more... I have the session-timeout-minutes set to 15 and have set the session-resolution-seconds value to 20 seconds as well and restarted Zope and yet it seems to not make a difference. Thank you, Robin ===================================== Robin Sale, Software Engineer Specialized Technology Resources, Inc. 10 Water Street Enfield CT 06082-4899 USA robin.sale@strus.com -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Andreas Jung Sent: Thursday, January 25, 2007 10:08 AM To: Sale, Robin; zope@zope.org Subject: Re: [Zope] Session Timeout Troubles --On 25. Januar 2007 09:59:44 -0500 "Sale, Robin" <Robin.Sale@strus.com> wrote:
Hi,
We're using Zope 2.8.8 with a bunch of client sites set up in various sub directories / databases. We're using ZEO for the database storage and a local zodb file for the temporary data.
I've recently been asked to set the system to user sessions time out after 15 minutes of activity. I've changed the setting in our zope.conf file (the session timeout value) and restarted zope. However, if I open a page on the site that requires logon and log in, then leave the browser alone for 15 or 20 minutes or even an hour, when I click on a link, it doesn't force me to re-authenticate... it just works as normal.
You can configure the session timeout and the max. number of session objects. Perhaps you have more user sessions than configured so some sessions might be deleted before the timeout? Andreas
Sale, Robin wrote at 2007-1-25 09:59 -0500:
... I've recently been asked to set the system to user sessions time out after 15 minutes of activity. I've changed the setting in our zope.conf file (the session timeout value) and restarted zope. However, if I open a page on the site that requires logon and log in, then leave the browser alone for 15 or 20 minutes or even an hour, when I click on a link, it doesn't force me to re-authenticate... it just works as normal.
I have never heard of such a behaviour -- and it is almost unbelievable. In any such case (unbelievable behaviour), I always use a powerfull tool (the debugger in this case) to shed light into the behaviour. -- Dieter
Dieter, Thank you for your reply. Originally was a customer-driven need to have them as long as possible for some time, but now there is a management need to make sessions as short as possible to increase security. My big concern is that my predecessor may have done some serious deep-down hacking to make sessions not time out until the browser is closed to stop the whining. He's not around anymore and I'm not as much of an expert as him. What I'm doing: Visit a simple HTML page that has a link to a second ... all of which is contained within a folder that requires authenticated user to view. I go to server:8080/page_path/page_name and have to log in. I do so, and see the page. Now, I wait 20,30, 45 minutes, even an hour and click on the link to server:8080/page_path/page_name2. What I WANT to happen is to be forced to provide my credentials if it's been sitting longer than 15 minutes. What IS happening is that I simply get the page. The zope.conf is set with a session-timeout-minutes 15. I've looked at the debugging page in the control panel, but it doesn't tell me anything I recognize as useful. ===================================== Robin Sale, Software Engineer Specialized Technology Resources, Inc. 10 Water Street Enfield CT 06082-4899 USA robin.sale@strus.com -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Dieter Maurer Sent: Thursday, January 25, 2007 1:28 PM To: Sale, Robin Cc: zope@zope.org Subject: Re: [Zope] Session Timeout Troubles Sale, Robin wrote at 2007-1-25 09:59 -0500:
... I've recently been asked to set the system to user sessions time out after 15 minutes of activity. I've changed the setting in our zope.conf file (the session timeout value) and restarted zope. However, if I open a page on the site that requires logon and log in, then leave the browser alone for 15 or 20 minutes or even an hour, when I click on a link, it doesn't force me to re-authenticate... it just works as normal.
I have never heard of such a behaviour -- and it is almost unbelievable. In any such case (unbelievable behaviour), I always use a powerfull tool (the debugger in this case) to shed light into the behaviour. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I've looked at the debugging page in the control panel, but it doesn't tell me anything I recognize as useful. Are you sure that your authentication uses session? Maybe it uses cookies? Try to set variable in the session on one page and display this on the other one. Then wait for 15-20 minutes and see what happens.
Another thing that may cause this is session-resolution-seconds setting in your zope.conf - this affect session timeout value. -- Maciej Wisniowski
Thank you for your reply. I'm guessing that yes, Zope is using session cookies in this setup. Unfortunately, the people who did the original configuration and setup are no longer with my company, so I can't ask directly. How would I be able to tell if it's set one way or another? I certainly see nothing about cookie auth in the zope.conf file. (I'm hitting the Zope server directly (not going through our Apache front-end) to make sure I'm only dealing with a Zope issue. Thanks Again, Robin ===================================== Robin Sale, Software Engineer Specialized Technology Resources, Inc. 10 Water Street Enfield CT 06082-4899 USA robin.sale@strus.com -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Maciej Wisniowski Sent: Thursday, January 25, 2007 3:22 PM To: Sale, Robin Cc: zope@zope.org Subject: Re: [Zope] Session Timeout Troubles
I've looked at the debugging page in the control panel, but it doesn't tell me anything I recognize as useful. Are you sure that your authentication uses session? Maybe it uses cookies? Try to set variable in the session on one page and display this on the other one. Then wait for 15-20 minutes and see what happens.
Another thing that may cause this is session-resolution-seconds setting in your zope.conf - this affect session timeout value. -- Maciej Wisniowski _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I'm guessing that yes, Zope is using session cookies in this setup. Unfortunately, the people who did the original configuration and setup are no longer with my company, so I can't ask directly. How would I be able to tell if it's set one way or another? I certainly see nothing about cookie auth in the zope.conf file. This is done by your acl_users. I don't know what kind of User folder you're using. You may see this by going to acl_users folder in ZMI and on the top you should see something like: 'Pluggable User Folder at /path/to/acl_users'
where 'pluggable user folder' is name of your acl_users product. Depending of what UserFolder (acl_users) you use it may be (or may not be) possible to configure it to not to use cookies. Another solution might be to use session hooks (script that is called when user session expires) to logout the user or you may use different UserFolder, eg. PAS. -- Maciej Wisniowski
Sale, Robin wrote at 2007-1-25 14:33 -0500:
.... What I'm doing: Visit a simple HTML page that has a link to a second ... all of which is contained within a folder that requires authenticated user to view. I go to server:8080/page_path/page_name and have to log in. I do so, and see the page. Now, I wait 20,30, 45 minutes, even an hour and click on the link to server:8080/page_path/page_name2.
Only in special cases is the user identity held in the session. More often, it is held in a (session) cookie. Maybe, you are in the situation that the user identity is a cookie and the session timeout works are expected? -- Dieter
participants (4)
-
Andreas Jung -
Dieter Maurer -
Maciej Wisniowski -
Sale, Robin