[Twisted-web] Re: /__logout__ doesn't expire the session

Tommi Virtanen tv at twistedmatrix.com
Fri Jan 14 13:23:16 MST 2005


Andrea Arcangeli wrote:
> Ok, no problem, logout isn't reliable anyway since the session can
> expire instead of the user logging out, so I'll simply use the mind to
> expire the session instead of applying the patch I posted (the security
> part).

As far as I understand things, session timeout causes all the related
logout functions to be called.

It goes something like this:

one session relates to 0..n logged in portals

portal logout means pretty much nothing to a session

session expiry logs out from all related portals

__logout__ logs out from that particular portal

if you store data in session, they live until session expiry

if you store data in mind, it lives until portal logout (NOTE: this
is the only part I do not grok the code for, so I may be wrong here.
I am pretty sure about the other points)


This should probably be said explicitly in some docstrings.



More information about the Twisted-web mailing list