Thanks a lot for your response, I tried to follow it but got a "Not defined" error for the clean_session() function you'd mentioned. I tried to force "session.clear" at the begging of modules/menu.py, but the after logging out from my app, Janrain's plugin still recognized me with "Welcome back" and "it's not me" screen. Cleaning local cache and cookies did help, but this cleans Janrain's (local) cache too, so I don't know how to proceed from here. In addition, you mentioned a "nutshell" - what is it? I would like to few words about "It is not a web2py deficiency." - web2py is great, because it is done right. It is designed and written the right way, the adoption to web2py framework is excellent. The above addressees to new users. Thanks.
On Feb 2, 6:58 pm, ron_m <ron.mco...@gmail.com> wrote: > I put this chunk of code in models/menu.py just after the index item and > before the rest of the menu because I didn't want the other menu items > exposed if not logged in. Your case may vary but the code should be the > same, just placement. > > if auth.user: > #print 'menu: ', auth.user_id, auth.user.username, session.saved_user_id > if (not session.saved_user_id) or (session.saved_user_id != > auth.user_id): > clean_session() > session.saved_user_id = auth.user_id > > In a nutshell, > if logged in > Test for a copy of auth.user_id saved in session.saved_user_id and if not > saved or the login id is now different > run clean_session() > and save the now current auth.user_id in the session.saved_user_id. > > I am not using Janrain, just regular web2py authentication but the session > file was getting reused in that case too giving the next user to use the > client browser the permissions in the application of the previous user. > > The clean_session() function must be kept current and all it does is scrub > every session variable that could have been created by the application. I > suppose I could just walk the collection, not sure what else might be in > there, will have to look one day. > > You are victim of the same machine, web browser, browser window, browser tab > all see the same session file. If you logged in on the client workstation > machine with a different account the browser would use a different cookie > set and you probably would not have the problem. It is not a web2py > deficiency.
