Re: Flask session timeout
On Wed, Nov 27, 2013 at 05:48:44PM +0100, Pierre-Yves Chibon wrote:
On Wed, Nov 27, 2013 at 08:31:53AM -0800, Toshio Kuratomi wrote:
>
> No more than 2 days. Probably no more than 1 day.
>
> No less than 20 minutes (FAS has an idle timeout of 20 minutes).
Should we go for 1 hour then?
Works for me. We've brought this up before and never come up with
a set-in-stone rule other than "everything should attempt to match". let's
document the time we've settled on for now on the App Best Practices page.
> Is this an idle timeout or an absolute timeout?
That I do not know.
http://flask.pocoo.org/docs/config/ just says:
the lifetime of a permanent session as datetime.timedelta object. Starting with
Flask 0.8 this can also be an integer representing seconds.
Looking at the flask code, I think it's an idle timeout (the timeout gets
updated everytime a new request is made). So it matches our current TG1
apps in that respect.
The good news is that it looks like we can just set it up in the
configuration
file using the key: PERMANENT_SESSION_LIFETIME w/o having to change anything in
the application itself.
<nod>
We should probably look into updating our other apps to use an hour idle
timeout if they support it as well. The TG1 apps should just be a config
setting as well.
-Toshio
Attachments:
- attachment.sig (application/pgp-signature — 198 bytes)