Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYkFH-00079i-8t for pgsql-www@arkaria.postgresql.org; Sat, 04 May 2013 21:43:55 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1UYkFG-0005DT-1W for pgsql-www@arkaria.postgresql.org; Sat, 04 May 2013 21:43:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYkFF-0005DN-CU for pgsql-www@postgresql.org; Sat, 04 May 2013 21:43:53 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYkF6-0007qU-RB for pgsql-www@postgresql.org; Sat, 04 May 2013 21:43:52 +0000 Received: from bruce by momjian.us with local (Exim 4.72) (envelope-from ) id 1UYkEy-0005Lu-52; Sat, 04 May 2013 17:43:36 -0400 Date: Sat, 4 May 2013 17:43:36 -0400 From: Bruce Momjian To: Stefan Kaltenbrunner Cc: Magnus Hagander , "Joshua D. Drake" , Paul Waring , PostgreSQL WWW Subject: Re: Can we change auto-logout timing on wiki.postgresql.org? Message-ID: <20130504214336.GA21630@momjian.us> References: <20130503004045.GC3374@momjian.us> <20130503132345.GG3374@momjian.us> <5185099B.6000604@kaltenbrunner.cc> <20130504140518.GA5625@momjian.us> <518548F4.9040109@kaltenbrunner.cc> <20130504180854.GB5625@momjian.us> <5185513A.0@kaltenbrunner.cc> <20130504182419.GE5625@momjian.us> <51856E32.90702@kaltenbrunner.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51856E32.90702@kaltenbrunner.cc> User-Agent: Mutt/1.5.20 (2009-06-14) X-Pg-Spam-Score: -4.4 (----) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On Sat, May 4, 2013 at 10:23:14PM +0200, Stefan Kaltenbrunner wrote: > On 05/04/2013 08:24 PM, Bruce Momjian wrote: > > On Sat, May 4, 2013 at 08:19:38PM +0200, Stefan Kaltenbrunner wrote: > >> hmm pretty sure that browsers are supposed to clear session cookies if > >> they are restarted otherwise you will create bad security issues. > >> Consider logging in to a some site with personal information, close your > >> browser hand over your laptop to somebody in the family for a quick > >> browsing session and he will automatically log in to whatever site you > >> been at before... > > > > Well, if I just go to gmail.com, it certainly knows I am bmomjian. If I > > go to slashdot.org, it knows I am bmomjian too. I have to explicitly > > log out if I want be logged out. > > erm - I guess those are using persistent (tracking) cookies(as in you > clicked on "keep me signed in" at one time) vs classic session cookies, > are you proposing we should impose persistent cookies on our users? I find the use of the word "impose" curious. How do such cookies "impose"? Is it storage imposition? Security imposition? From a user perspective, it seems like a feature, not an imposition. One nice thing our site does is when you click "login", it logs you in without requiring me to actually see or type the username/password. I have no idea how we do that, so I suspect there must be some cookie activity. -- Bruce Momjian http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www