On Sun, Aug 22, 2010 at 4:09 PM, MZMcBride z@mzmcbride.com wrote:
What's the reason for having the cookie expire at all (or expire in any reasonable timeframe)? I'm not sure I see what security benefits any expiry provides (much less a 30-day one) given the rampant use of password stores in browsers.
The major purpose that I know of is so that users who don't have their browser save their passwords are actually forced to enter their password once in a while so they don't forget it. I don't know if there's any other reason for it.
Another option would be to add a user preference for cookie expiry, but suggesting the addition of new user preferences usually activates the Aryeh rage machine. :-)
GRRAAARRR!!!!!!!!! >:(((
On Sun, Aug 22, 2010 at 4:38 PM, Platonides Platonides@gmail.com wrote:
Instead of randomly increasing the cookies lifetime, I think that we should be renewing the cookies if the session has more than eg. 24 hours. That way, you would never need to login again if you browsed the wiki at least once in the last month.
Personally, I don't find annoying having to log in once a month. It's the CentralAuth third party cookies (+ firefox behavior) what makes them expire.
It's not annoying if you're a frequent user, particularly not if you have your browser save passwords. But it's really annoying on sites you only visit once in a while and aren't committed to at all. If you find yourself logged out when you visit, odds are good you won't bother logging in, particularly not if you don't have the password saved (which is more likely if you very rarely visit the site).