Should fix bbangert#60 also adds tests to replicate the issue and avoid regressions

Author: amol-

beaker/session.py

@@ -535,9 +535,13 @@ def __init__(self, request, key='beaker.session.id', timeout=None,
                 self._path = self.get('_path', '/')
             except:
                 pass
-            if self.timeout is not None and time.time() - \
-               self['_accessed_time'] > self.timeout:
-                self.clear()
+
+            if self.timeout is not None:
+                now = time.time()
+                last_accessed_time = self.get('_accessed_time', now)
+                if now - last_accessed_time > self.timeout:
+                    self.clear()
+
             self.accessed_dict = self.copy()
             self._create_cookie()
 

tests/test_cookie_only.py

@@ -1,4 +1,4 @@
-import datetime
+import datetime, time
 import re
 import os
 
@@ -141,6 +141,65 @@ def invalidate_session_app(environ, start_response):
     res = app.get('/')
     assert 'expires=' not in res.headers.getall('Set-Cookie')[0]
 
+
+def test_changing_encrypt_key_with_timeout():
+    COMMON_ENCRYPT_KEY = '666a19cf7f61c64c'
+    DIFFERENT_ENCRYPT_KEY = 'hello-world'
+
+    options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
+               'session.timeout': 300,
+               'session.validate_key': 'hoobermas',
+               'session.type': 'cookie'}
+    app = TestApp(SessionMiddleware(simple_app, **options))
+    res = app.get('/')
+    assert 'The current value is: 1' in res, res
+
+    # Get the session cookie, so we can reuse it.
+    cookies = res.headers['Set-Cookie']
+
+    # Check that we get the same session with the same cookie
+    options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
+               'session.timeout': 300,
+               'session.validate_key': 'hoobermas',
+               'session.type': 'cookie'}
+    app = TestApp(SessionMiddleware(simple_app, **options))
+    res = app.get('/', headers={'Cookie': cookies})
+    assert 'The current value is: 2' in res, res
+
+    # Now that we are sure that it reuses the same session,
+    # change the encrypt_key so that it is unable to understand the cookie.
+    options = {'session.encrypt_key': DIFFERENT_ENCRYPT_KEY,
+               'session.timeout': 300,
+               'session.validate_key': 'hoobermas',
+               'session.type': 'cookie'}
+    app = TestApp(SessionMiddleware(simple_app, **options))
+    res = app.get('/', headers={'Cookie': cookies})
+
+    # Let's check it created a new session as the old one is invalid
+    # in the past it just crashed.
+    assert 'The current value is: 1' in res, res
+
+
+def test_cookie_properly_expires():
+    COMMON_ENCRYPT_KEY = '666a19cf7f61c64c'
+
+    options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
+               'session.timeout': 1,
+               'session.validate_key': 'hoobermas',
+               'session.type': 'cookie'}
+    app = TestApp(SessionMiddleware(simple_app, **options))
+    res = app.get('/')
+    assert 'The current value is: 1' in res, res
+
+    res = app.get('/')
+    assert 'The current value is: 2' in res, res
+
+    # Wait session to expire and check it starts with a clean one
+    time.sleep(1)
+    res = app.get('/')
+    assert 'The current value is: 1' in res, res
+
+
 if __name__ == '__main__':
     from paste import httpserver
     wsgi_app = SessionMiddleware(simple_app, {})