Isn't this why session.renew() was added?
On Mon, Mar 3, 2014 at 2:29 PM, Massimo Di Pierro < massimo.dipie...@gmail.com> wrote: > I will check and release a patch soon. Please do not discuss possible > security issues on this mailing list. Report them to the developers > directly. > > > On Monday, 3 March 2014 02:06:05 UTC-6, Kiran Subbaraman wrote: >> >> I see this in 2.9.2 too (Just tested with the latest release) >> >> On Monday, March 3, 2014 1:25:14 PM UTC+5:30, Kiran Subbaraman wrote: >>> >>> Hello, >>> I noticed this issue recently related to user session data. >>> In my application I store some user specific session data, so that I do >>> not have to hit the database everytime (now, am also looking at using >>> the cache for that, instead of session). >>> If userA is logged into the application, and then userA auth session >>> expires, a login screen is presented. In case login is performed with >>> userB's credentials, the session data from userA is still available, and >>> is displayed on userB's screen. >>> >>> I have created a minimal app to demonstrate the issue that I see. Also >>> take a look at the screenshots. Notice the session.userdata variable's >>> value. >>> Tested this on web2py 2.8.2, on Windows 8. >>> >>> This is my controller code: >>> @auth.requires_login() >>> def index(): >>> ... >>> >>> if session['userdata'] is None: >>> session.userdata = auth.user.first_name >>> >>> I am suspecting this is an issue / bug. Can anyone confirm? >>> This issue does not arise, if the user explicitly logs out of a session, >>> or the browser window is closed (I have set my browser to clear all >>> cookies data when it is closed) >>> >>> -- >>> >>> ________________________________________ >>> Kiran Subbaraman >>> http://subbaraman.wordpress.com/about/ >>> >>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
