I've tried using Session.lease_time as a session timeout mechanism
and have not good success with it. The behavior is really more of a
session invalidation than a session timeout.

The problem is that it's not clear how to catch a lease expiration in
the code so that you can display an appropriate message; it just
suddenly appears like an unauthenticated user is visiting the page
with a brand new session. This makes it difficult to try and do
friendly things like cache form values and reload them after they re-
authenticate.

I guess I'm looking more for behavior where the current session
doesn't get deleted but goes into a "needs to re-authenticate" state
which is handled by the login machinery and can be detected by
application code.

Any thoughts on how best to approach this?

Thanks.

Dave

------
David K. Hess
Verscend Technologies, Inc.
dhess@verscend.com
214-684-5448