Forum OpenACS Q&A: Response to Cookie Expiration Recommendations

Posted by Jason Khong on
Hi David, thanks for your input.

Can you please explain to me what the "PersistentLoginDefaultP 0" actually does?

I just tried using those params you mentioned (its the same as what I did before the quick "no expiration date" hack for option 2). The problem is that if a user closes his browser without logging out, anyone sitting at his computer can still access his account within the 2 hours that the session cookie takes to expire.

I do agree however with your comments on option 1. If there's a way to make a cookie expire after x hours or when user closes browser, *whichever comes first*, then it'll be perfect!

The problem with applying only option 2 (my quick fix) is that a user might end up at some public internet terminal that does not allow the browser to be closed. Then if the user forgets to log out/rushes off to catch the plane without logging out then the cookie will remain active forever...

Anyway, if the params you mention can achieve both option 1 and 2 the way I hope for, then please correct me about my comments and tell me quick so that I can revert to that :)