2 files changed, 12 insertions, 2 deletions

diff --git a/repoze/bfg/authentication.py b/repoze/bfg/authentication.py
index 5bd3e9c4b..144e1bf39 100644
--- a/repoze/bfg/authentication.py
+++ b/repoze/bfg/authentication.py
@@ -352,8 +352,10 @@ class AuthTktCookieHelper(object):
                 (timestamp,old_userid,old_tokens,
                  old_userdata) = auth_tkt.parse_ticket(
                     self.secret, old_cookie_value, remote_addr)
+                now = time.time()
+                expired = self.timeout and ((timestamp + self.timeout) < now)
             except auth_tkt.BadTicket:
-                pass
+                expired = False
 
         encoding_data = self.userid_type_encoders.get(type(userid))
         if encoding_data:
@@ -368,7 +370,7 @@ class AuthTktCookieHelper(object):
         old_data = (old_userid, old_tokens, old_userdata)
         new_data = (userid, tokens, userdata)
 
-        if old_data != new_data:
+        if old_data != new_data or expired:
             ticket = auth_tkt.AuthTicket(
                 self.secret,
                 userid,
diff --git a/repoze/bfg/tests/test_authentication.py b/repoze/bfg/tests/test_authentication.py
index 12ecb6b16..9420df1a1 100644
--- a/repoze/bfg/tests/test_authentication.py
+++ b/repoze/bfg/tests/test_authentication.py
@@ -528,6 +528,14 @@ class TestAuthTktCookieHelper(unittest.TestCase):
             value)
         self.failUnless('; Expires=' in value)
 
+    def test_remember_reissue_expired_cookie(self):
+        import time
+        plugin = self._makeOne('secret', timeout=2, reissue_time=1)
+        old_val = self._makeTicket(userid='userid', time=time.time()-3)
+        request = self._makeRequest({'HTTP_COOKIE':'auth_tkt=%s' % old_val})
+        result = plugin.remember(request, 'userid', userdata='userdata')
+        self.failIf(result is None, 'not re-issued?')
+
     def test_forget(self):
         plugin = self._makeOne('secret')
         request = self._makeRequest()