On Oct 2, 2008, at 01:44, John Plocher wrote: > Alan Burlison wrote: >> You'll only have to log in if you want to change anything, which >> immediately excludes most casual users. >>>> although this will of course be configurable. >>> As long as it can be set to things like "2 weeks", "1 month" or even >>> "never"... >> >> It will most probably be a small number of hours, and certainly not >> more >> than a day. >> > > I think that this misses the point - when I access the site once or > twice a week, I do so to edit web pages and the like. This policy > limit > (which seems overly restrictive to me) means that statistically, > *every* > time community leaders like myself access the site to update page > content, > they will be forced to relogin, making the remember-me feature almost > completely worthless to the very community leaders for whom it was > designed. > > Given that the current "4 years and counting" scheme hasn't exposed > any > documented (or even alleged) instances of cookie theft and/or > unauthorized > alterations, and lacking any data to back up your preference for > "between > one and four hours", I'd like to suggest that the predominant use-case > (not to mention industry-wide norms) calls for a 2-week period > instead.
+1. Forcing most people to engage in a login action every time they want to edit seems a backward step even if the principle causing it looks logical. If you're really worried I suggest re-confirming at random and before critical changes. S. _______________________________________________ website-discuss mailing list [email protected]
