[
https://issues.apache.org/jira/browse/COUCHDB-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13189875#comment-13189875
]
Benoit Chesneau commented on COUCHDB-1304:
------------------------------------------
i'm against enabling it by defaut. For the security it's better to have a
limited session (like bank indeed). couchdb is still a database afterall.
> set Expires header on session cookies to make them persistent
> -------------------------------------------------------------
>
> Key: COUCHDB-1304
> URL: https://issues.apache.org/jira/browse/COUCHDB-1304
> Project: CouchDB
> Issue Type: Improvement
> Components: HTTP Interface
> Affects Versions: 1.1
> Reporter: max ogden
> Assignee: Robert Newson
> Priority: Minor
> Labels: authentication, cookie
> Fix For: 1.2
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> currently couch's cookie based authentication only sets session cookies as
> opposed to persistent cookies. the difference between these two is the
> Expires header. if it is not present most web browsers will delete your
> cookie when you quit your browser, whereas if it is set then your browser
> keeps the cookie around until the time specified by the Expires header.
> This sucks for UX because users quit and re-launch their browser they'll have
> to log in again.
> I am proposing that we set the Expires header in cookies to match the time in
> the couch_httpd_auth timeout
> p.s. this is similar to the issue I opened
> https://issues.apache.org/jira/browse/COUCHDB-1095 but at that time I didn't
> realize that what I really wanted was the Expires header
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
