On Sat, May 4, 2013 at 10:23:14PM +0200, Stefan Kaltenbrunner wrote:
> On 05/04/2013 08:24 PM, Bruce Momjian wrote:
> > On Sat, May 4, 2013 at 08:19:38PM +0200, Stefan Kaltenbrunner wrote:
> >> hmm pretty sure that browsers are supposed to clear session cookies if
> >> they are restarted otherwise you will create bad security issues.
> >> Consider logging in to a some site with personal information, close your
> >> browser hand over your laptop to somebody in the family for a quick
> >> browsing session and he will automatically log in to whatever site you
> >> been at before...
> >
> > Well, if I just go to gmail.com, it certainly knows I am bmomjian. If I
> > go to slashdot.org, it knows I am bmomjian too. I have to explicitly
> > log out if I want be logged out.
>
> erm - I guess those are using persistent (tracking) cookies(as in you
> clicked on "keep me signed in" at one time) vs classic session cookies,
> are you proposing we should impose persistent cookies on our users?
I find the use of the word "impose" curious. How do such cookies
"impose"? Is it storage imposition? Security imposition? From a user
perspective, it seems like a feature, not an imposition.
One nice thing our site does is when you click "login", it logs you in
without requiring me to actually see or type the username/password. I
have no idea how we do that, so I suspect there must be some cookie
activity.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +
