[ic] controlling session expiration after purchase

Mike Heins heins@akopia.com
Sat, 3 Feb 2001 03:03:35 -0500

Quoting Andrew Waegel (andrew@benevolent-tech.com):
> Hello,
> I need to allow the administrative user of my interchange system to enter 
> multiple orders using the UI -without- having to log in over and over again.
> It seems that the session is expired upon successful checkout, which makes 
> sense, we don't want old purchase data hanging around.
> But is there any simple way to have the administrative user retain their 
> credentials after placing a order through the UI, so they don't have to 
> relogin?

Not at the moment. I just added a patch to CVS which allows recognition of
a MV_USERPROFILE cookie. I had been meaning to do it all along, but forgot.
Thanks for jogging my memory.

It would take just a little bit of patching of the login page to set the
hidden values mv_cookie_password=1, then on the admin/pages/entry.html
page you add:

	[set-cookie name=MV_USERPROFILE value=ui]

Now when entry.html takes you through the process, it logs you out
and logs you in as before. But the next time you come in, you will
be auto-logged-in and continue on.

This is a little bit insecure for the root admin user to do, since
it means saving the password to disk. Not too bad for a user who only
has permission to enter orders.

I will look at adding logic in the next version which recognizes this
situation and sets the expiration to nothing (meaning the cookie isn't
stored to disk).

Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

Research is what I'm doing when I don't know what I'm doing.
-- Wernher Von Braun