https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #17 from Krinkle <[email protected]> --- Right, we only set the cookie at log in time and it expires after 30 days regardless of whether the user actively uses their account (at which point they'd randomly find themselves logged-out after 30 days, not in a middle of a browser session due to the session cookie, but the next time they re-open the browser). I believed we had this already (I don't recall having to authenticate anywhere in the last few months for Wikimedia wikis, so either something else is extending it or I just forgot I had to do it once). Same for Google, Facebook, etc., for those I'm quite certain it is being extended automatically. Sending the session cookies back to the browser on every request is not that expensive, but I can imagine that not being very attractive. Ideally we'd programmatically find out when the login session expires, and refresh it one a day or so. Unfortunately, the expiration property of a cookie can only be set, not read. The solution I used to use for my Toolserver is to store the expiration date given to the browser for the session id on on the server in the actual session data. Then whenever a request comes in and the cookie is more than e.g. 24h old, refresh it once. This covers the use case proposed in this bug: New users will not have to log in again after 30 days (especially if they forgot their password and didn't provide an e-mail address) Whilst having two additional advantages: * We don't accept dormant sessions over a year old to be used to authenticate the user. * We do distinguish between used and unused sessions. * We provide even more convenience to users (never[1] have to log in again, not even once a year). [1] never, that is, as much as we can help it. We may invalidate sessions for security reasons or when performing data centre maintenance. And browsers may garbage collect cookies at some point. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
