Christoph Zwerschke schrieb: > So I think the right fix is to set either > expires AND max-age (which overrides expires for new browsers) - then > you get a permanent cookie, or to set NONE of these, then you get a > session cookie that is discarded when the browser is closed. My idea is > to make this choice configurable via visit.cookie.permanent which will > be False by default, for security reasons.
+1 If I understand correctly, max-age will be set to visit.timeout * 60 and expires to utcnow + visit.timeout * 60, right? Or do we need another config value for the cookie expiration time? While we're at it, should we add support for the "Discard" cookie option? Do browsers support it? Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
