On Sun, Aug 22, 2010 at 4:09 PM, MZMcBride <z(a)mzmcbride.com> wrote:
What's the reason for having the cookie expire at
all (or expire in any
reasonable timeframe)? I'm not sure I see what security benefits any expiry
provides (much less a 30-day one) given the rampant use of password stores
in browsers.
The major purpose that I know of is so that users who don't have their
browser save their passwords are actually forced to enter their
password once in a while so they don't forget it. I don't know if
there's any other reason for it.
Another option would be to add a user preference for
cookie expiry, but
suggesting the addition of new user preferences usually activates the Aryeh
rage machine. :-)
GRRAAARRR!!!!!!!!! >:(((
On Sun, Aug 22, 2010 at 4:38 PM, Platonides <Platonides(a)gmail.com> wrote:
Instead of randomly increasing the cookies lifetime, I
think that we
should be renewing the cookies if the session has more than eg. 24 hours.
That way, you would never need to login again if you browsed the wiki at
least once in the last month.
Personally, I don't find annoying having to log in once a month. It's
the CentralAuth third party cookies (+ firefox behavior) what makes them
expire.
It's not annoying if you're a frequent user, particularly not if you
have your browser save passwords. But it's really annoying on sites
you only visit once in a while and aren't committed to at all. If you
find yourself logged out when you visit, odds are good you won't
bother logging in, particularly not if you don't have the password
saved (which is more likely if you very rarely visit the site).