Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
I guess odoo should end user sessions when the server is being stop/restarted and require a new login procedure when it come up again (which is standard behavior in v7) v8 doesn't do that. Seems as sessions are 'eternal'. Is that a new feature or a bug?
EDIT: filed a bug report here https://github.com/OCA/OCB/issues/38
I don't know about version 7, but in version 6.1 the behavior is 'eternal', like you said for version 8. I think this is by design and not a bug. The root problem is the design of session cookie. If what you want is not 'eternal' session, the session should be stored in database. I think there is already a module for this.
Talking about session cookies, there should be a configuration / code to change the expired date option (or a generation of a secret number to invalidate the session), but I haven't check it yet.
aren't eternal Sessions pretty insecure? especially due to the fact that OE targets at being used online. (Imagine you login in an internet cafe or whateer public or semi-public place [like your colleagues terminal in the office on the upper floor], forget to logout, electricity dropout ...) Your whole data is exposed to that machine. Isn't it a little strange to have such by design?
Yes, I agree with you. But, we already live with this kind of problem (not limited to Odoo only). One solution to improve your Odoo service is to use full https. The tradeoff is usually convenience for user (such as performance), but this is only my opinion.
1. Use the live chat to ask your questions.
2. The operator answers within a few minutes.
