[OSM-dev] Session Timeout

Tom Hughes tom at compton.nu
Thu Jun 14 13:13:15 BST 2007

In message <541CC253-B4E0-43ED-9FB5-CC60A1FFF45E at gmail.com>
        Shaun McDonald <shaunmcdonald131 at gmail.com> wrote:

> I'd like to know what the session timeout of www.openstreetmap.org is
> set to, because I'm fed up with it timing out in about 15 minutes of
> use. I think something like 5 hours is far more appropriate.

As far as I can tell (and it is very obtuse) there is no timeout.

Yes, I know that doesn't correspond to observed behaviour but as far
as I have been able to determine that is the situation.

The logic appears to go like this:

  - User submits login form.

  - Random token is generated and stored in database, along with
    a timeout set to 1 day in the future. That timeout is then
    never looked at.

  - Token is also added to rails session hash. As far as I can
    determine the session hash is the default, that is to say an
    instance of CGI::Session::FileStore with no expiry set.

  - That means that a session cookie is issued to the browser
    with no expiry. That cookie should last until the browser
    is closed.

  - On future requests the cookie is used to find the session
    hash on disk, which is then used to get the token, which is
    used to lookup the user in the database.

If anybody can point out somewhere where my diagnosis of the logic
involved is wrong then I'd be very grateful as it might help work
out what is going on.

One side effect of the above logic is that you can only be logged
in from one browser at a time, and logging in from a different browser
will kill your original session.


Tom Hughes (tom at compton.nu)

More information about the dev mailing list