Yes, due to a security vulnerability, the behavior was changed -- now by default, a new session ID is created upon either login or logout, and upon logout, the session itself is cleared. The behavior can be controlled with these settings (default values shown):
auth.settings.renew_session_onlogin = True # change session ID auth.settings.renew_session_onlogout = True # change session ID auth.settings.keep_session_onlogin = True # keep session content auth.settings.keep_session_onlogout = False # clear session content To achieve what you want, do: auth.settings.keep_session_onlogout = True Though keeping in mind there may be a security risk if anything in the session should pertain only to the previously logged in user. If you want to keep only particular keys in the session upon logout, then make the setting as shown above, and create an auth.settings.logout_onlogout callback that clears all the keys in the session except those you want to keep. Note, if necessary, you can also renew the session directly via: session.renew(clear_session=[True|False]) That is the method called by Auth, depending on the above settings. Anthony On Friday, May 23, 2014 1:58:40 PM UTC-4, Mandar Vaze wrote: > > I have two applications using different versions of web2py > > I'm using session variables to store some sort of user preferences. > > First one uses version 2.3.2 > Here - I set the session variables after user selects their preferences. > These values are available even after user logs out and logs back in > This works well for me. > > The second one uses version 2.9.5 > Here - the code is similar (set session variables when user sets the > preferences) - but when the user logs out - the session variables are lost. > So when user logs in again - the preferences are lost > > In both cases - sessions are stored on the filesystem (default setup), > neither have I modified any expiration values from the default > > I'm assuming this is due to some changes in how web2py handles sessions > between 2.3.2 and 2.9.5 > > Is there a way to retain session variables even after user logs out - *in > 2.9.5* ? > > I have seen suggestions to use cache options - but I would prefer to > continue to use session variables (in 2.3.2 this was seemless - just > set/get the variables - nothing more) > > -Mandar > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
