Shelf life of cookies
2009-02-23 16:05:40.715488+00 by
Dan Lyke
4 comments
Dear everyone who runs a web site that asks for a login: Clicking "remember me" or un-clicking "public terminal" should set a cookie that exists for as long as I'm likely to be using this browser on this user account. It should be measured in years. Not days. Not even weeks. Thank you.
comments in ascending chronological order (reverse):
#Comment Re: made: 2009-02-23 17:17:10.607228+00 by:
TheSHAD0W
Or refresh the cookie every time the site is visited. I'd suggest that method instead.
#Comment Re: made: 2009-02-23 17:22:43.982735+00 by:
Dan Lyke
That might be what's going on, but many of these are sites I visit in week or two sorts of intervals, and they keep forgetting me.
#Comment Re: made: 2009-02-23 19:01:44.723559+00 by:
meuon
I clear out cookie cache so often when debugging stuff I could care less.
Even on my home system, I delete it before and after any important website (financials, etc..) - But I'm just that paranoid.
#Comment Re: made: 2009-02-23 19:35:21.891021+00 by:
other_todd
I tend to agree - I think "remember me" implies "until I choose to make you forget me" - but a lot of users don't interpret it that way, and there have been complaints.
At my workplace all our cookies are session cookies; they vanish when the browser is closed. We get complaints about that too, but since some of what we protect with a login is reasonably sensitive data, tough luck.
You can't win, is my point. If we had a cookie that expired after two weeks, someone would complain that it was too long and someone would complain it was too short. (And if you gave the user the option to choose the cookie duration, someone would complain it was too complex.)