[Pharo-project] Session expiration question
bschwab at anest.ufl.edu
Fri Sep 25 10:19:24 EDT 2009
I am gradually gaining confidence with mixing Seaside and SSL. The next step is to ensure that only authenticated users can access the application(s), which seems easy enough by simply demanding a password in the first component. I have some more work to do, such as allowing users to change their password (unless I pawn that off to our directory system), and ideally finding a nice way to persist (hashed of course) passwords either in a database or other storage. If any of you have particularly elegant solutions to the latter, I'd be all ears :)
My current concern is over work a user might do in a session that expires. I would rather not have to answer with: "sorry, it's gone, you're screwed, work faster next time," but that would be far better than security breaches, and the application already allows the user to attack the work a few small bites at a time. Is there a robust way to drop the user into a task/loop that re-authenticates and then allows work to continue where the user lefr off? If they close the browser, I have no sympathy; I'm thinking of timeouts.
More information about the Pharo-dev