Re: Can we change auto-logout timing on wiki.postgresql.org? - Mailing list pgsql-www

On Sat, May  4, 2013 at 08:19:38PM +0200, Stefan Kaltenbrunner wrote:
> On 05/04/2013 08:08 PM, Bruce Momjian wrote:
> > On Sat, May  4, 2013 at 07:44:20PM +0200, Stefan Kaltenbrunner wrote:
> >> [...]
> >>> I decided to look into this again and I see my preferences aren't set
> >>> for me to get emails for changes on my watch list:
> >>>
> >>>     E-mail me when a page on my watchlist is changed
> >>>
> >>> I am not sure of the value of a watch list if you don't get email
> >>> notifications.  If I try to enable that and save, I get a failure:
> >>>
> >>>     There was either an authentication database error or you are not
> >>>     allowed to update your external account.
> >>
> >> hmm thanks for the report - that seems to be a (fairly) recently
> >> introduced buglet in our custom authentication backend, it should
> >> however not have resulted in any lost functionality just the above error
> >> message. Should be fixed now anyway.
> > 
> > OK, I was now able to add email notification for watch list changes. 
> > Let's see if I get any email when someone modifies something.  It might
> > take a few weeks before I would know.
> 
> hmm weird - afaiks the error message should have been cosmetic only, are
> you saying that it seems to have actually prevented the notifications?

Oh, it certainly prevented me from modifying my preferences, but it
certainly works now.

> >>> I am not sure when that setting was changed, but I certainly didn't do
> >>> it.  I bet that is why I don't get wiki change notifications.  Does
> >>> anyone else get notifications?
> >>
> >> I do ;)
> > 
> > Oh, that's interesting.  Did you have those buttons checked in your
> > preferences?  I did not.
> 
> yeah i had them (but I'm pretty sure I had manually checked them)

OK.  That explains it then.

> >>>> the ~20min is not a MW default, it is one from debian about cleaning up
> >>>> session data (again a protection machanism, http is stateless and you
> >>>> don't get a "user logged off" thingy in general so we need to remove
> >>>> session data in some interval to not end up with millions of session files).
> >>>> And yes as said above - we have speculated only so far on what exactly
> >>>> the session timeout mechanics are and if the settings we are currently
> >>>> dealing with actually control what people complain about - I'm still not
> >>>> sure if you are saying it does or not?
> >>>
> >>> I have no idea.
> >>
> >> hmm not sure I get that - if you restart your browser daily how are the
> >> session cookies even get preserved, or do you use one of these "restore
> >> session" features?
> > 
> > Uh, well, I have the TODO list as one of my default startup tabs.  Most
> > websites can still use old cookies on a browser restart, e.g. Gmail,
> > Slashdot.
> 
> 
> hmm pretty sure that browsers are supposed to clear session cookies if
> they are restarted otherwise you will create bad security issues.
> Consider logging in to a some site with personal information, close your
> browser hand over your laptop to somebody in the family for a quick
> browsing session and he will automatically log in to whatever site you
> been at before...

Well, if I just go to gmail.com, it certainly knows I am bmomjian.  If I
go to slashdot.org, it knows I am bmomjian too.  I have to explicitly
log out if I want be logged out.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + It's impossible for everything to be true. +