A new mm_cfg.py setting AUTHENTICATION_COOKIE_LIFETIME has been added.

If this is set to a non-zero value, web authentication cookies will
expire that many seconds following their last use.  Its default value is
zero to preserve current behavior.

1 files changed, 6 insertions, 1 deletions

diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
index 902c1fdd..c2f57cc4 100644
--- a/Mailman/SecurityManager.py
+++ b/Mailman/SecurityManager.py
@@ -1,4 +1,4 @@
-# Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -224,6 +224,8 @@ class SecurityManager:
         for ac in authcontexts:
             ok = self.CheckCookie(ac, user)
             if ok:
+                # Refresh the cookie
+                print self.MakeCookie(ac, user)
                 return True
         # Check passwords
         ac = self.Authenticate(authcontexts, response, user)
@@ -342,6 +344,9 @@ class SecurityManager:
         now = time.time()
         if now < issued:
             return False
+        if (mm_cfg.AUTHENTICATION_COOKIE_LIFETIME and
+                issued + mm_cfg.AUTHENTICATION_COOKIE_LIFETIME < now):
+            return False
         # Calculate what the mac ought to be based on the cookie's timestamp
         # and the shared secret.
         mac = sha_new(secret + `issued`).hexdigest()