[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Session expired" when clicking too fast



On Tue, Aug 16, 2011 at 5:30 AM, ario <..hidden..> wrote:
> Sorry to come back to this again, but it's not yet clear to me,
> especially what you mean by 'cluster', and no doubt my description of
> the problem contained some ambiguity/ies.

Ok.  On cluster is one instance of PostgreSQL listening on one port.
>
> I think I have one Pg 'cluster' on my computer, with different
> databases, each for one 'company', because when I set up (past tense)
> the system, I created various databases from within the LSMB browser.
> It's the switching between theses databases that causes the
> inconvenience of having to re-submit a password over and again.
>
> Is that what you mean that can be solved by renaming a cookie?

Well, in 1.3, you have two choices:
1) You can use two different web browsers (you can do this in 1.2 too) or
2)  You can install LedgerSMB twice and rename the cookie on one.

I note that Google Chrome's In Cognito mode can be used to essentially
run Chrome as two browser instances (but not three).  If you have
Chrome and are accessing LedgerSMB 1.2 or 1.3 you could access the
second db in in cognito mode and that would solve the problem too.

In 1.3, the idea of having the same web browser hitting two different
databases is actually a bit more problematic because of the fact that
a given user account can be used against several databases.  Thus the
authentication is actually more tied to the browser session rather
than less.

If someone really needs the ability to open up two companies
side-by-side and compare in the same browser, I'd have to think about
the best way of doing this.  Renaming the cookie wouldn't be
sufficient because unless the database name is passed in the query
string the web server would have no way of knowing which cookie to
look at.  Two instances however can solve this by tying the cookie to
the path, but if the URL is the same that doesn't work.

SL solved this problem by passing the login back on every form and
using that to rename the cookie.  We haven't supported that since 1.1
(or even 1.0), I think, for reasons of trying to manage the security
of sessions.  At any rate it won't work when the same user credentials
can be used to log into multiple databases.

One option I think we should look for in 2.0 is the idea of every page
being a form, and every form submitting certain data back.  With the
shift to a new template system, this would become possible.  That
would allow us to move the database name out of the cookie, perhaps
even get rid of the cookie altogether.  Then the auth domain issue
would become arguably possible to solve without making a mess of
things.

Best Wishes,
Chris Travers