Forum OpenACS Q&A: Response to Cookie Expiration Recommendations

Posted by David Walker on
I believe that PersistentLoginDefaultP prevents a persistent cookie from being set. The system may still recognize already set persistent cookies unless you either clear out the active sessions table or clear the cookies on the user's machine. The system itself will clear out the sessions table after SessionLifetime expires.

The problem is that if a user closes his browser without logging out, anyone sitting at his computer can still access his account within the 2 hours that the session cookie takes to expire.
If no persistent cookie was set then this should not be the case. Once the browser is closed the cookie is deleted and logging back in will require a password.