Hello, I'm using openerp 7 and it doesn't seem to be any session timeout even if I closed the browser and opened it again, I'm still logged in I want openerp to log me out after an idle amount of time or if the browser is closed . is it possible ?
in http.py file there is this method
def session_gc(session_store): if random.random() < 0.001: # we keep session one week last_week = time.time() - 60*60*24*7 for fname in os.listdir(session_store.path): path = os.path.join(session_store.path, fname) try: if os.path.getmtime(path) < last_week: os.unlink(path) except OSError: pass
if you deleted the random condition the session will expire after a week , but i would like to understand why this line is existed , why the session expiration is depended on a random number
The above code checks all session files on the server disk if the modification is older than the defined time (one week). If so, they are deleted and the session therefore invalidated. The user get's a HTTP 404 (it would be better to redirect to the login page!).
Since all session files are checked on each request, the random condition just reduces the efort by just doing the check every 1000 requests (on average).
session_gc by the way seems to stand for session garbage collection.
IMHO this is a quite poor handling of session timeouts, especially if the timeout should be shorter and there is not to much traffic on the server. The behaviour is very unpredictable.
A different topic, but discovered at the same time: all passwords are stored in plaintext in the session files on the server disk. It looks like the system checks on every request, if the user is still valid using the password...
IMHO password never belong into any file or database in plain text. This is bad style and potentially a security risk.
I checked the answer I found on this forum (help.openerp.com/question/7363/settings-to-session-timeout) but it does not look right to me. The selected answer will only terminate the session after certain time (10 min in the answer above) but without looking at idle time, this means it will kill the session after 10 min even if the user is still working. I tried the solution mentioned By Mr.Shokri and it worked for me, I even reduced the time without removing the line like
if random.random() < 0.1:
and lt worked also. I agree with Mr.Shokri, if this line is preventing the code from working, I really want to know why this line exists in the first place. Thank
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 3/10/14, 3:13 PM|
|Seen: 3327 times|
|Last updated: 3/16/15, 8:10 AM|