Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21610=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UYiVE-0000oD-Sl
	for pgsql-www@arkaria.postgresql.org; Sat, 04 May 2013 19:52:17 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21610=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UYiVE-0007vC-9s
	for pgsql-www@arkaria.postgresql.org; Sat, 04 May 2013 19:52:16 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <gsstark@gmail.com>) id 1UYiVD-0007v6-JA
	for pgsql-www@postgresql.org; Sat, 04 May 2013 19:52:15 +0000
Received: from mail-ie0-x233.google.com ([2607:f8b0:4001:c03::233])
	by magus.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <gsstark@gmail.com>) id 1UYiV4-0005qw-Ng
	for pgsql-www@postgresql.org; Sat, 04 May 2013 19:52:14 +0000
Received: by mail-ie0-f179.google.com with SMTP id c13so2934025ieb.10
	for <pgsql-www@postgresql.org>; Sat, 04 May 2013 12:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=x-received:mime-version:sender:in-reply-to:references:from:date
	:x-google-sender-auth:message-id:subject:to:cc:content-type;
	bh=PCs6UAw8f0Sht6PkXpEBo2oro5RGMOlW8X+gU06J9y0=;
	b=dDVLG3Q+IpEqvgJD3seHEq3Jhb+4mF1uhbU37Jbi1Ol12jln1qZPIirdwkW8mm0JFq
	yBCJ9W2jnAJcmNYkmDUc7Plx08dWQQz5iqS3aBWG+cfptGTJRSJ/S+4CQPKhVh8EM2Kf
	rbszkkNqn4xf6q1ozm9hJvfIRDImrcR6uKML9iHdmKjlFjqSnblNmdE80E1hNBDeW3cg
	EmfIA1vu2oXkanwuJa0oyux/1x4FxZTn5dE6gtTLcCRyDW72IvOY2RtZqf39MritUvny
	594+vMDiqr7Zv2lWJHS7hsYbBWZgyjq1n8j28kJ+KSxt50SCnFutWYOySbAEHxZovHIl
	QYjA==
X-Received: by 10.50.187.225 with SMTP id fv1mr941201igc.74.1367697125281;
	Sat, 04 May 2013 12:52:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.87.99 with HTTP; Sat, 4 May 2013 12:51:23 -0700 (PDT)
In-Reply-To: <5185513A.0@kaltenbrunner.cc>
References: <517B7658.9070209@commandprompt.com>
	<517B9613.4090201@kaltenbrunner.cc>
	<20130427140914.GA20361@momjian.us>
	<517BFC61.2070307@commandprompt.com>
	<20130503004045.GC3374@momjian.us>
	<CABUevEzX44DyxsGHnq8L4176FMjBvsjNLL4dXTrOo3ayHBtZ5Q@mail.gmail.com>
	<20130503132345.GG3374@momjian.us> <5185099B.6000604@kaltenbrunner.cc>
	<20130504140518.GA5625@momjian.us> <518548F4.9040109@kaltenbrunner.cc>
	<20130504180854.GB5625@momjian.us> <5185513A.0@kaltenbrunner.cc>
From: Greg Stark <stark@mit.edu>
Date: Sat, 4 May 2013 20:51:23 +0100
X-Google-Sender-Auth: caNx2mcz-dpdqo2S_kVn5R9D_2w
Message-ID: 
 <CAM-w4HPCz1zc4LfhD0s5K23t3aJQgkecxN9YBrP4dzVB0oeczA@mail.gmail.com>
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
To: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>
Cc: Bruce Momjian <bruce@momjian.us>, Magnus Hagander <magnus@hagander.net>,
	"Joshua D. Drake" <jd@commandprompt.com>, Paul Waring <paul@xk7.net>,
	PostgreSQL WWW <pgsql-www@postgresql.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Pg-Spam-Score: -1.9 (-)
List-Archive: <http://archives.postgresql.org/pgsql-www>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-www.postgresql.org>
List-Owner: <mailto:pgsql-www-owner@postgresql.org>
List-Post: <mailto:pgsql-www@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-www>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-www>
X-Mailing-List: pgsql-www
Precedence: bulk
Sender: pgsql-www-owner@postgresql.org

On Sat, May 4, 2013 at 7:19 PM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:
> hmm pretty sure that browsers are supposed to clear session cookies if
> they are restarted otherwise you will create bad security issues.
> Consider logging in to a some site with personal information, close your
> browser hand over your laptop to somebody in the family for a quick
> browsing session and he will automatically log in to whatever site you
> been at before...

What is this "close your browser"? Are you sure you know when you
close your browser? What about background tasks that might keep the
browser process running even with no windows? And just because you
want Gmail open why does that mean you want to keep credentials for
Facebook and Amazon loaded? Or does it happen when you close the
window? What if there were other windows or if some other site had an
iframe on the web site you're trying to close that you didn't even
know about? When do you "close your browser" on your phone?

Now that the web is more of an application platform each application
needs to think about when it wants the credentials or other local data
it uses to expire and arrange for it to happen as desired. Depending
on a concept like "close the browser" means not really knowing when it
will happen.


-- 
greg


-- 
Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www