On Jun 5, 2007, at 11:02 PM, David K. Hess wrote:

>
> I've tried using Session.lease_time as a session timeout mechanism
> and have not good success with it. The behavior is really more of a
> session invalidation than a session timeout.
>
> The problem is that it's not clear how to catch a lease expiration
> in the code so that you can display an appropriate message; it just
> suddenly appears like an unauthenticated user is visiting the page
> with a brand new session. This makes it difficult to try and do
> friendly things like cache form values and reload them after they
> re-authenticate.
>
> I guess I'm looking more for behavior where the current session
> doesn't get deleted but goes into a "needs to re-authenticate"
> state which is handled by the login machinery and can be detected
> by application code.

The application can always compare
get_session().get_access_time()  and site_now() and
start bothering the user, or even log the user out by
calling get_session().clear_authentication().

You could do this by writing your own
SitePublisher.fill_response_using_root_directory(),
and that might be the easiest solution.

Alternatively, you could write your own subclass
of Session, and add a SitePublisher.create_session()
that returns an instance of your session class.
That gives you total control of session behavior.