Forum OpenACS Q&A: Response to Cookie Expiration Recommendations

Posted by Jonathan Ellis on
you're right; ad_user_login doesn't get set temporarily with -forever false; it doesn't get set at all.  ad_session_id also contains user_id and that's apparently what gets used within a session.  (Again, please note that PersistentLoginDefaultP just unchecks the "store login info" checkbox BY DEFAULT; users can still check this box themselves.  it has NO EFFECT on what features are enabled/disabled.  If you want to disallow this completely you'll have to hack the login scripts a bit.)

I'm not clear on how the user_id part of ad_session_id gets zeroed out after you close your browser and come back to the site but it does.  Maybe someone else can clarify.