[OT] our cookie expiration

Kevin Turner kevin at janrain.com
Wed Oct 4 21:20:15 UTC 2006


On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote:
> it's been my experience that users are willing to trade an awful lot of 
> security to avoid software nagging at them repeatedly.

Which goes back to what Dick was saying about his myopenid.com login
cookie not expiring.  Users didn't like logging in after every time
their browser restarted, so we made the cookie persistent.

Does that make us a "BadCitizen-IdP"?  I don't believe it does.
Expiring cookies sooner seems beneficial for a particular group of
users, those who are:

1) cautious enough to not leave their myopenid.com password in their
browser's password cache, and
2) careless enough to leave their desktops unlocked when unattended.

The combination of those two contrasting qualities seems likely to be a
small subset of our user base.  We hoped the remaining users who really
wanted to not have old login cookies laying around would avail
themselves of the "sign off" button.





More information about the specs mailing list