Hi,
At the moment in fedocal, pkgdb2 and probably other apps using flask_fas_openid, the timeout for the session is the default one which is set to 31 days.
This can of course be changed and I was wondering what we think would be best as a default timeout.
Thougths?
Thanks, Pierre
PS: Change the timeout in Flask: http://stackoverflow.com/questions/11783025/is-there-an-easy-way-to-make-ses...
On Wed, Nov 27, 2013 at 04:42:49PM +0100, Pierre-Yves Chibon wrote:
Hi,
At the moment in fedocal, pkgdb2 and probably other apps using flask_fas_openid, the timeout for the session is the default one which is set to 31 days.
This can of course be changed and I was wondering what we think would be best as a default timeout.
Thougths?
Thanks, Pierre
PS: Change the timeout in Flask: http://stackoverflow.com/questions/11783025/is-there-an-easy-way-to-make-ses...
No more than 2 days. Probably no more than 1 day.
No less than 20 minutes (FAS has an idle timeout of 20 minutes).
Is this an idle timeout or an absolute timeout?
-Toshio
On Wed, Nov 27, 2013 at 08:31:53AM -0800, Toshio Kuratomi wrote:
On Wed, Nov 27, 2013 at 04:42:49PM +0100, Pierre-Yves Chibon wrote:
Hi,
At the moment in fedocal, pkgdb2 and probably other apps using flask_fas_openid, the timeout for the session is the default one which is set to 31 days.
This can of course be changed and I was wondering what we think would be best as a default timeout.
Thougths?
Thanks, Pierre
PS: Change the timeout in Flask: http://stackoverflow.com/questions/11783025/is-there-an-easy-way-to-make-ses...
No more than 2 days. Probably no more than 1 day.
No less than 20 minutes (FAS has an idle timeout of 20 minutes).
Should we go for 1 hour then?
Is this an idle timeout or an absolute timeout?
That I do not know. http://flask.pocoo.org/docs/config/ just says: the lifetime of a permanent session as datetime.timedelta object. Starting with Flask 0.8 this can also be an integer representing seconds.
The good news is that it looks like we can just set it up in the configuration file using the key: PERMANENT_SESSION_LIFETIME w/o having to change anything in the application itself.
Pierre
On Wed, Nov 27, 2013 at 05:48:44PM +0100, Pierre-Yves Chibon wrote:
On Wed, Nov 27, 2013 at 08:31:53AM -0800, Toshio Kuratomi wrote:
No more than 2 days. Probably no more than 1 day.
No less than 20 minutes (FAS has an idle timeout of 20 minutes).
Should we go for 1 hour then?
Works for me. We've brought this up before and never come up with a set-in-stone rule other than "everything should attempt to match". let's document the time we've settled on for now on the App Best Practices page.
Is this an idle timeout or an absolute timeout?
That I do not know. http://flask.pocoo.org/docs/config/ just says: the lifetime of a permanent session as datetime.timedelta object. Starting with Flask 0.8 this can also be an integer representing seconds.
Looking at the flask code, I think it's an idle timeout (the timeout gets updated everytime a new request is made). So it matches our current TG1 apps in that respect.
The good news is that it looks like we can just set it up in the configuration file using the key: PERMANENT_SESSION_LIFETIME w/o having to change anything in the application itself.
<nod>
We should probably look into updating our other apps to use an hour idle timeout if they support it as well. The TG1 apps should just be a config setting as well.
-Toshio
infrastructure@lists.fedoraproject.org
-
Pierre-Yves Chibon -
Toshio Kuratomi