Max Semenik wrote:
I propose to raise the default ($wgCookieExpiration) at least to 90 days from current 30.
This setting was supposed to combat leakage of logged in sessions by making them expire before before an attacker grabs them. However, cookie expiry does little to stop bad guys and annoys good ones:
- Once you've left a public PC without clicking on "log out", your
session is already compromised, even making cookies session-only won't help.
- If nobody looks specifically for your session, they can stumble upon
it accidentally, while browsing the same site as you did. Lowish expiry time can indeed help lessen this possibility, however with Wikipedia's popularity there's pretty solid chance that someone will visit it from a public teminal within hours, not days. Less popular sites are, on the other hand, protected by smaller possibilities of someone looking for them.
- MediaWiki provides no way to adjust preferences without having an
account, so advice "register and set this or that in 'my preferences'" is pretty popular these days. However, the need to log in every month which is mildly annoying for wiki regulars, may have a drastic effect on casual visitors. "You told me to register and when I did, I had to relogin after a couple of visits!!1"
That's better than the "I don't remember what my password is since I never needed to input it, I was always logged in." reports.
Instead of randomly increasing the cookies lifetime, I think that we should be renewing the cookies if the session has more than eg. 24 hours. That way, you would never need to login again if you browsed the wiki at least once in the last month.
Personally, I don't find annoying having to log in once a month. It's the CentralAuth third party cookies (+ firefox behavior) what makes them expire.