https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #16 from Matthew Flaschen <mflasc...@wikimedia.org> --- (In reply to Krinkle from comment #15) > Allowing existing sessions to be picked up again after more than a month of > not using the site doesn't seem very valuable. If anything it sounds a > little dodgy from a security perspective (e.g. stolen sessions, or computer > theft). There's also a benefit if the user (think of new users especially) forgets their password, especially since we don't require an email. It's common for there to be a tension between security and convenience. > I'm not opposing it entirely on any of those grounds, just want to verify > here: > > 1) Is it true that sessions are automatically extended with each visit and > that therefore, with 30 days expiration, the session will last forever if > you visit once every 30 days? I don't believe so: git grep -F -- '->setCookies' Only specific login pages (Special:UserLogin and API login) and Special:ChangePassword seem to call that. I don't think there's anything that extends the expiration time when you're just browsing around. > 2) Is the only use case that would justify this change so that users who > aren't very active don't have to log in again if they've been inactive for > over a month? I think it's just 30 days from login, regardless of what you do in between. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
