[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Session expired" when clicking too fast




On Tue, 2011-08-16 at 07:55 -0700, Chris Travers wrote:
> On Tue, Aug 16, 2011 at 5:30 AM, ario <..hidden..> wrote:
> > Sorry to come back to this again, but it's not yet clear to me,
> > especially what you mean by 'cluster', and no doubt my description of
> > the problem contained some ambiguity/ies.
> 
> Ok.  On cluster is one instance of PostgreSQL listening on one port.
> >
> > I think I have one Pg 'cluster' on my computer, with different
> > databases, each for one 'company', because when I set up (past tense)
> > the system, I created various databases from within the LSMB browser.
> > It's the switching between theses databases that causes the
> > inconvenience of having to re-submit a password over and again.
> >
> > Is that what you mean that can be solved by renaming a cookie?
> 
> Well, in 1.3, you have two choices:
> 1) You can use two different web browsers (you can do this in 1.2 too) or

Ok, so it would be solved if I'd create a different firefox profile for
each company's database and made sure I'd access each database from
within a different profile?
Or (easier or at least faster for me), create different users (linux)
for each company and open a separate browser from within each user's
account for every database to be accessed?
Great! I'll do that at once!

Actually I just did it and it works, thanks for letting me know!

thanks

ario


> 2)  You can install LedgerSMB twice and rename the cookie on one.
> 
> I note that Google Chrome's In Cognito mode can be used to essentially
> run Chrome as two browser instances (but not three).  If you have
> Chrome and are accessing LedgerSMB 1.2 or 1.3 you could access the
> second db in in cognito mode and that would solve the problem too.
> 
> In 1.3, the idea of having the same web browser hitting two different
> databases is actually a bit more problematic because of the fact that
> a given user account can be used against several databases.  Thus the
> authentication is actually more tied to the browser session rather
> than less.
> 
> If someone really needs the ability to open up two companies
> side-by-side and compare in the same browser, I'd have to think about
> the best way of doing this.  Renaming the cookie wouldn't be
> sufficient because unless the database name is passed in the query
> string the web server would have no way of knowing which cookie to
> look at.  Two instances however can solve this by tying the cookie to
> the path, but if the URL is the same that doesn't work.
> 
> SL solved this problem by passing the login back on every form and
> using that to rename the cookie.  We haven't supported that since 1.1
> (or even 1.0), I think, for reasons of trying to manage the security
> of sessions.  At any rate it won't work when the same user credentials
> can be used to log into multiple databases.
> 
> One option I think we should look for in 2.0 is the idea of every page
> being a form, and every form submitting certain data back.  With the
> shift to a new template system, this would become possible.  That
> would allow us to move the database name out of the cookie, perhaps
> even get rid of the cookie altogether.  Then the auth domain issue
> would become arguably possible to solve without making a mess of
> things.
> 
> Best Wishes,
> Chris Travers
> 
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model 
> configuration take the hassle out of deploying and managing Subversion and 
> the tools developers use with it. Learn more about uberSVN and get a free 
> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Ledger-smb-users mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users