- Re-issue authentication ticket if the cookie has expired when using

  ``repoze.bfg.security.remember`` when the
  ``authtktauthenticationpolicy`` authentication policy is in effect.
  (Patch from Andreas Zeidler).

3 files changed, 20 insertions, 2 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index bc1a5d039..9daf23b0d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -12,6 +12,14 @@ Features
   registration of "settings" values obtained via
   ``repoze.bfg.settings.get_settings()`` for use in unit tests.
 
+Bug Fixes
+---------
+
+- Re-issue authentication ticket if the cookie has expired when using
+  ``repoze.bfg.security.remember`` when the
+  ``authtktauthenticationpolicy`` authentication policy is in effect.
+  (Patch from Andreas Zeidler).
+
 Documentation
 -------------
 
diff --git a/repoze/bfg/authentication.py b/repoze/bfg/authentication.py
index 5bd3e9c4b..144e1bf39 100644
--- a/repoze/bfg/authentication.py
+++ b/repoze/bfg/authentication.py
@@ -352,8 +352,10 @@ class AuthTktCookieHelper(object):
                 (timestamp,old_userid,old_tokens,
                  old_userdata) = auth_tkt.parse_ticket(
                     self.secret, old_cookie_value, remote_addr)
+                now = time.time()
+                expired = self.timeout and ((timestamp + self.timeout) < now)
             except auth_tkt.BadTicket:
-                pass
+                expired = False
 
         encoding_data = self.userid_type_encoders.get(type(userid))
         if encoding_data:
@@ -368,7 +370,7 @@ class AuthTktCookieHelper(object):
         old_data = (old_userid, old_tokens, old_userdata)
         new_data = (userid, tokens, userdata)
 
-        if old_data != new_data:
+        if old_data != new_data or expired:
             ticket = auth_tkt.AuthTicket(
                 self.secret,
                 userid,
diff --git a/repoze/bfg/tests/test_authentication.py b/repoze/bfg/tests/test_authentication.py
index 12ecb6b16..9420df1a1 100644
--- a/repoze/bfg/tests/test_authentication.py
+++ b/repoze/bfg/tests/test_authentication.py
@@ -528,6 +528,14 @@ class TestAuthTktCookieHelper(unittest.TestCase):
             value)
         self.failUnless('; Expires=' in value)
 
+    def test_remember_reissue_expired_cookie(self):
+        import time
+        plugin = self._makeOne('secret', timeout=2, reissue_time=1)
+        old_val = self._makeTicket(userid='userid', time=time.time()-3)
+        request = self._makeRequest({'HTTP_COOKIE':'auth_tkt=%s' % old_val})
+        result = plugin.remember(request, 'userid', userdata='userdata')
+        self.failIf(result is None, 'not re-issued?')
+
     def test_forget(self):
         plugin = self._makeOne('secret')
         request = self._makeRequest()