On 12/19/2012 12:47 AM, Tyler Romeo wrote:
Maybe I'm missing something, but where is the 180 days number coming from. When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
Here (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...) User::setCookies calls User::setCookie (singular) with expiration 0 for UserID and UserName. I don't know where you see no expiration.
However, User::setCookie (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...) itself says "if 0 or not specified, use the default $wgCookieExpiration"
It actually calls WebResponse::setcookie (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...). Both User::setCookie and WebResponse::setcookie default the $exp if it is not passed in, though it is in this case. setcookie does that expiration logic.
0 corresponds to expire = time() + $wgCookieExpiration.
I don't see any way there can be an infinite cookie.
Matt Flaschen