I propose to raise the default ($wgCookieExpiration) at least to 90
days from current 30.
This setting was supposed to combat leakage of logged in sessions by
making them expire before before an attacker grabs them. However,
cookie expiry does little to stop bad guys and annoys good ones:
* Once you've left a public PC without clicking on "log out", your
session is already compromised, even making cookies session-only won't
help.
* If nobody looks specifically for your session, they can stumble upon
it accidentally, while browsing the same site as you did. Lowish
expiry time can indeed help lessen this possibility, however with
Wikipedia's popularity there's pretty solid chance that someone will
visit it from a public teminal within hours, not days. Less popular
sites are, on the other hand, protected by smaller possibilities of
someone looking for them.
* MediaWiki provides no way to adjust preferences without having an
account, so advice "register and set this or that in 'my preferences'"
is pretty popular these days. However, the need to log in every month
which is mildly annoying for wiki regulars, may have a drastic effect
on casual visitors. "You told me to register and when I did, I had to
relogin after a couple of visits!!1"
Taking this all into account, I see no reason to keep the current
default.
--
Max Semenik ([[User:MaxSem]])