Cookies storing the session id are always treated like session cookies, ignoring the timeout config parameter

[gentakojima]

The cookie for storing the session id in the web browser is set using self._setcookie in line 155 of sessions.py.

The same method is also called to delete the cookie, so it has a parameter called expires which defaults to an empty string. All the other options are taken from self._config instead inside the method, but not this one.

This means the timeout parameter is ignored, since setting web.config.session_parameters['timeout'] to any value does virtually nothing. If the user closes the web browser, then open it again, the cookie with the session id won't be there anymore so the session can't be recovered.

Changing the line 155 fixes the issue for me and sessions are preserved even if I close and reopen the browser, which I think should be the intended behaviour.

From this:

self._setcookie(self.session_id)

To this:

self._setcookie(self.session_id, expires=self._config.timeout)

Changing the self._setcookie definition just below should cause the same effect, since this method is only called twice, but I didn't test it.

From this:

def _setcookie(self, session_id, expires="", **kw):

To this:

def _setcookie(self, session_id, expires=self._config.timeout, **kw):