[Zope-CMF] Expiring inactive login sessions

Felix Ulrich-Oltean felix at chaptereight.com
Fri Mar 5 07:16:24 EST 2004


I would like to "log a user out" if they've been inactive for a while
(this is with Plone2/CMF1.4).  AFAICT the cookie set by
CMFCore.CookieCrumbler lasts until the browser is closed.  However, in
an environment where workstations are often shared, this means that
when people don't explicitly log out, someone else in the office can
come and pick up their login.

Is there a way to set the cookie expiration time to say 10 minutes, so
that the user needs to log in again after 10 inactive minutes.  The
only way I can see to do this is to hack CookieCrumbler to re-set the
auth_cookie on every single request - this seems nasty.

If there's a better way, I'd love to hear about it.



PS - are there any more secure login methods for Zope without HTTPS,
rather than sending the password as a base64-encoded cookie?

More information about the Zope-CMF mailing list