Use case: Unauthenticated users might have really short sessions, students might have 15 minute sessions, and staff or faculty might have hour long sessions, there might be a "grumpy user" group needing *really* long sessions.
More generally, ability to map group memberships to session lengths.
User gets longest session timeout available to a group of which he or she is a member. (user that is both student and faculty would get hour long session in example above).
Code sketch at:
http://www.ja-sig.org/wiki/x/u4t7
New Feature
Resolved
Major
Different session timeouts by group membership
The session timeout (a.k.a. max-inactive) values can be set using permissions. Using the existing permissions infrastructure for this purpose is attractive because:
Here's how it works...
If you don't use these permissions, nothing changes: you get exactly the same behavior as before.
If you do wish to use the feature, use permissions with the 'MAX_INACTIVE' activity where the target is an integer. Positive values will set the session timeout to that amount (in seconds); negative values indicate the session never times out.
These settings are applied just after the user authenticates in the LoginServlet. You can specify both GRANT and DENY entries, and DENYs trump GRANTs (e.g. a GRANT of 1800 sec + a DENY of 300 sec = 300 sec timeout value).
You can set these permissions using Import/Export with XML like the following (included in the patch as Portal_Administrators__MAX_INACTIVE.permission as an example):
<permission script="classpath://org/jasig/portal/io/import-permission_v2-6.crn">
<owner>system</owner>
<principal-type>org.jasig.portal.groups.IEntityGroup</principal-type>
<principal>
<group>Portal Administrators</group>
</principal>
<activity>MAX_INACTIVE</activity>
<target>
<literal>3600</literal>
</target>
<permission-type>GRANT</permission-type>
</permission>