[Seaside] Session expiration question

Schwab,Wilhelm K bschwab at anest.ufl.edu
Fri Sep 25 14:19:24 UTC 2009

Hello all,

I am gradually gaining confidence with mixing Seaside and SSL.  The next step is to ensure that only authenticated users can access the application(s), which seems easy enough by simply demanding a password in the first component.  I have some more work to do, such as allowing users to change their password (unless I pawn that off to our directory system), and ideally finding a nice way to persist (hashed of course) passwords either in a database or other storage.  If any of you have particularly elegant solutions to the latter, I'd be all ears :)

My current concern is over work a user might do in a session that expires.  I would rather not have to answer with: "sorry, it's gone, you're screwed, work faster next time," but that would be far better than security breaches, and the application already allows the user to attack the work a few small bites at a time.  Is there a robust way to drop the user into a task/loop that re-authenticates and then allows work to continue where the user lefr off?  If they close the browser, I have no sympathy; I'm thinking of timeouts.


More information about the seaside mailing list