Forum OpenACS Q&A: Response to Cookie Expiration Recommendations

Posted by Jason Khong on
So I can think of only 2 options that will help me do what's most secure (session timeout after x seconds AND on browser close, whichever comes first).

Option 1.
Jonation, you mentioned that sec_read_security_info reads two cookies, "ad_session_id" and "ad_user_login". If one of them is set to timeout after x seconds, and the other to expire on browser close, then as a pair, they would fulfill my objective.
But I don't see the ad_user_login cookie being set my computer. I think its because by setting PersistentLoginDefaultP to 0 the login page didn't offer to save it.
If it's safe to enable PersistentLoginDefaultP and to set the ad_user_login & ad_session_id cookies to work in the above manner, then my problem is solved :) Jonathan, would appreciate if you could revert to me on this.

Option 2.
Just thought of this: since ad_validate_security_info reads the ad_session_id cookie to see if it's still valid ($last_hit + [sec_session_timeout] < [ns_time]), it actually works the same as setting a cookie to expire in x seconds.
Meaning something like instead of setting a cookie expiry date on the  client-side, we let the server check if the cookie is still "fresh" :)
Then that leaves the client-side cookie's expiration date empty, thereby allowing it to expire at browser close.

If this theory is right, then it would also fulfill my objectives and I'll be one contented guy :)

So once again, share your thoughts!

P.s: My apologies for possibly over-extending this thread. Really hope to find a fool-proof way of shutting my users out. Such noble goals! ;)