Timeout depends on user's parameters:
Session should ever expire because they can be used for tracking, not just authentication. Nevertheless, on timeout, user should be logged out. How user is logged out/in is very application specific. I suggest you create a model file called models/timeout.py that contains
import time TIMEOUT=30*60 # seconds PATH_ON_TIMEOUT='/%s/default/logout' % request.application if session.lastrequest and session.lastrequest<time.time()-TIMEOUT and request.env.path_into!=PATH_ON_TIMEOUT: #optional if you don't care about tracking usage: session.clear() redirect(PATH_ON_TIMEOUT) session.lastrequest=time.time()
and create a controller default/logout that performs the logout. I do not think you need more.