[Zope-CMF] [PAS] CookieAuthHelper with expiration date for cookies

Laurence Rowe l at lrowe.co.uk
Mon Nov 29 10:24:18 EST 2010

2010/11/29 Andreas Jung <lists at zopyx.com>:
> Hash: SHA1
> We have the requirement within a project that a Plone user should
> be logged off automatically after N minutes of inactivity (means
> the authentication cookie should expire after N minutes).
> CookieAuthHelper.updateCredentials() is in charge for the initial
> setting of the authentication cookie. Adding an expiration date here
> would not be the deal. However the authentication cookie
> must be set with an updated expiration date upon every request (in order
> to reset the inactivity timer to zero). Is there some way for hooking
> this functionality properly into PAS? Otherwise I would have to
> hack the ZPublisher somehow...(perhaps using Publisher events...).

On Plone, CookieAuthHelper (or rather the PlonePAS subclass,
ExtendedCookieAuthHelper) is only responsible for Challenge and
Extraction. plone.session is responsible for Update Credentials.

Setting an expiration date on an authentication cookie makes it
persistent, so if a user closes their browser they will not be logged
out. Instead, plone.session includes the issue time and has a cookie
validity setting that limits the validity of any issued cookie.

For keeping the cookie up to date you have two options.

1. Put it in mod_auth_tkt compatibility mode and configure Apache to
refresh the cookies for you.

2. Add the extensions profile that adds a CSS refresh url to the CSS
registry, along with some javascript so a user is not logged out while
they are active on a page. (This is new in plone.session 3.1 which
will be in Plone 4.1, but is compatible back to Plone 3.2).

Documentation at http://pypi.python.org/pypi/plone.session/3.1


More information about the Zope-CMF mailing list