Hi,
In OpenACS HEAD, LoginTimeOut doesn't seem to work well. SessionTimeOut works ok though as well as SessionRenew and SessionSweepInterval
According to https://openacs.org/doc/security-requirements.html , The definition of Persistent Login is to login the user forever. Do you think would be a good idea to use a parameter to expire the persistent login? (for example, use SessionLifeTime? ). gmail seems to have 2-week-persistent login policy and in OpenACS SessionLifeTime is 1 week by default.
One more question is, Is there any reason why the values of cookies are not encrypted ?
We're working on a patch to fix the LoginTimeOut issue and improve the SessionTimeOut showing a feedback message to the user. However, I'd like to know if you're ok if we check SessionLifeTime to expire the persistent-login or have better ideas?
Thanks
