Here's why:
My application permits persistent login (see http://xmlx.ca/articles/625.aspx). Users are automatically logged out by timeouturl, and automagically logged back in (after the timeout) by username/password cookies maintained in their browser. Three cookies -- userreference, username, password_hash -- provide everything that's needed to maintain state while the user variables exist on the server, and restore state if they've expired. This is done through a login table that has a userreference, login state, and a foreign key to the user table.
Users can also manually log out, which marks the login table as such and clears the username/password_hash cookies. But there's a problem if the user mistakenly quits the browser without manually logging out. Separate login logic enforces a single user session rule, i.e., a user may only have a single userreference "logged in". When the browser is quit and the user tries to login again, they are rejected, and have to wait for their user variables to timeout, so they get logged out on the server.
If the all three cookies cookie had an expiry, when the browser was re-launched, the same userreference cookie would still exist, and the user either be still logged in or would be automagically re-logged in, just as if they had left the browser open but there had been no activity.
Any thoughts?
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
