Hello, I wanted to add some important points to <on session timeout>:
Now after session timeout, client looses user_id (so all permissions too), so he gets some errors about user_permissions, which is not very nice for end (not experienced) user. Good solution (and becoming critical for us) would be to always logout user after session timeout.
I guess, there are two ways for handling logout after session timeout:
1) Tersus should automatically logout user which session timed out
2) We should model automatic logout ourselves in Authorization module
However, with point 2) there is one problem:
On session timeout, we can't normally logout user on server side (can we?), so:
maybe there could be different Logout mechanizm for client and server side:
Logout stays as it is
There could be similar mechanism as logouting all users when timestamp file changes, but in this case it would be dedicated to one user (POST with some data to user, so the client side knows to logout)
We wait for your opinion, ideas or solution :)
For best results, use the Firefox browser..