[ic] controlling session expiration after purchase

[Mike Heins]

Quoting Andrew Waegel (andrew@benevolent-tech.com):
> Hello,
> 
> I need to allow the administrative user of my interchange system to enter 
> multiple orders using the UI -without- having to log in over and over again.
> 
> It seems that the session is expired upon successful checkout, which makes 
> sense, we don't want old purchase data hanging around.
> 
> But is there any simple way to have the administrative user retain their 
> credentials after placing a order through the UI, so they don't have to 
> relogin?

Not at the moment. I just added a patch to CVS which allows recognition of
a MV_USERPROFILE cookie. I had been meaning to do it all along, but forgot.
Thanks for jogging my memory.

It would take just a little bit of patching of the login page to set the
hidden values mv_cookie_password=1, then on the admin/pages/entry.html
page you add:

	[set-cookie name=MV_USERPROFILE value=ui]

Now when entry.html takes you through the process, it logs you out
and logs you in as before. But the next time you come in, you will
be auto-logged-in and continue on.

This is a little bit insecure for the root admin user to do, since
it means saving the password to disk. Not too bad for a user who only
has permission to enter orders.

I will look at adding logic in the next version which recognizes this
situation and sets the expiration to nothing (meaning the cookie isn't
stored to disk).

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

Research is what I'm doing when I don't know what I'm doing.
-- Wernher Von Braun