Hi, We're looking at adding a 'stay logged in' function to a web application protected by Shiro, the intent is that a user who selects this option wouldn't be prompted for a login for a predefined period of time. We're considering two possibilities (though obviously open for suggestions if there are better ideas), the first is to use remember me and the second is to extend the length of sessions.
With remember me, the generated cookie is valid indefinitely (which would need to be changed) and a specific key should be set for the cipher service. If we were to change length of sessions we'd lose the distinction of authenticated/remembered, but expiration would be controlled by the server. Would anyone have any suggestions or problems/ideas we've missed? Thanks, Matthew
