Here's an example scenario. Your user goes to an Internet cafe. He logs into your web application and does what he wants to do then closes the browser (without logging out first) then walks out the door. If the session was not killed on browser exit then the next person that comes along and opens the browser and views the history or if the browser was setup to keep tabs open, they can then access your users account.
Work with the assumption that the browser exit will always kill the session. It is by far a better security arrangement. On Mon, Jun 22, 2009 at 11:45 AM, Sid Bachtiar <[email protected]>wrote: > > Hi, > > That's just how browser usually setup, to kill session when it is closed. > > The timeout is for if user has the browser window opened, but inactive > (e.g.: not making any request to server) for x amount of time. > > You need to think about the security aspect when setting the timeout. > The longer the timeout, the more chance of your user forgot to logout > and someone else using their account. > > On Mon, Jun 22, 2009 at 8:59 PM, dziobacz<[email protected]> wrote: > > > > User should be log in 30 days = 2592000 seconds. In factories.yml I > > have: > > all: > > user: > > class: myUser > > param: > > timeout: 2592000 > > > > But after closed browser user is log out and he must log in again, > > why ? What should I do ? > > > > > > > > > -- > Blue Horn Ltd - System Development > http://bluehorn.co.nz > > > > -- Gareth McCumskey http://garethmccumskey.blogspot.com twitter: @garethmcc --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
