changeset 4709:efde74175d2d

merged main
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 25 Apr 2009 00:45:21 +0200
parents 04c4fdfe48a9 (current diff) 0fd171596794 (diff)
children 5c962bbcd797
files
diffstat 1 files changed, 25 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/web/session.py	Sat Apr 25 00:43:58 2009 +0200
+++ b/MoinMoin/web/session.py	Sat Apr 25 00:45:21 2009 +0200
@@ -45,6 +45,21 @@
         """
         raise NotImplementedError
 
+def _get_session_lifetime(request, userobj):
+    """ Get session lifetime for the user object userobj
+    Cookie lifetime in hours, can be fractional. First tuple element is for anonymous sessions,
+    second tuple element is for logged-in sessions. For anonymous sessions,
+    t=0 means that they are disabled, t>0 means that many hours.
+    For logged-in sessions, t>0 means that many hours,
+    or forever if user checked 'remember_me', t<0 means -t hours and
+    ignore user 'remember_me' setting - you usually don't want to use t=0, it disables logged-in sessions."""
+    lifetime = int(float(request.cfg.cookie_lifetime[userobj and userobj.valid]) * 3600)
+    forever = 10 * 365 * 24 * 3600 # 10 years
+
+    if userobj and userobj.valid and userobj.remember_me and lifetime > 0:
+        return forever
+    return abs(lifetime)
+
 class FileSessionService(SessionService):
     """
     This sample session service stores session information in a temporary
@@ -109,19 +124,17 @@
                 logging.debug("after auth: deleting session cookie!")
                 request.delete_cookie(self.cookie_name, path=cookie_path, domain=cfg.cookie_domain)
 
-        lifetime_h = cfg.cookie_lifetime[userobj and userobj.valid]
-        cookie_lifetime = int(float(lifetime_h) * 3600)
+        cookie_lifetime = _get_session_lifetime(request, userobj)
         if cookie_lifetime:
-            if session.new:
-                cookie_expires = time.time() + cookie_lifetime
-                # a secure cookie is not transmitted over unsecure connections:
-                cookie_secure = (cfg.cookie_secure or  # True means: force secure cookies
-                    cfg.cookie_secure is None and request.is_secure)  # None means: https -> secure cookie
-                logging.debug("user: %r, setting session cookie: %r" % (userobj, session.sid))
-                request.set_cookie(self.cookie_name, session.sid,
-                                   max_age=cookie_lifetime, expires=cookie_expires,
-                                   path=cookie_path, domain=cfg.cookie_domain,
-                                   secure=cookie_secure, httponly=cfg.cookie_httponly)
+            cookie_expires = time.time() + cookie_lifetime
+            # a secure cookie is not transmitted over unsecure connections:
+            cookie_secure = (cfg.cookie_secure or  # True means: force secure cookies
+                             cfg.cookie_secure is None and request.is_secure)  # None means: https -> secure cookie
+            logging.debug("user: %r, setting session cookie: %r" % (userobj, session.sid))
+            request.set_cookie(self.cookie_name, session.sid,
+                               max_age=cookie_lifetime, expires=cookie_expires,
+                                path=cookie_path, domain=cfg.cookie_domain,
+                               secure=cookie_secure, httponly=cfg.cookie_httponly)
 
             if session.should_save:
                 store = self._store_get(request)