moderated Re: Update login expiration on site visit #suggestion


Jim Higgins
 

Received from Jim Fisher at 11/5/2018 08:05 PM UTC:

The normal way for a cookie to be used for login purposes is to simply set it when a person logs in and subsequently check for its existence whenever they visit a page requiring a login.
That's not quite how LOGIN cookies are handled. You can't just check for EXISTENCE of the cookie because they aren't all the same. You must also check the specific cookie CONTENT against the subscriber database so that the specific user is authenticated and the areas he may visit and privileges he has are known before granting access. It's not enough to say a cookie EXISTS so it's OK to give the person privileges in whatever area of the site he happened to land on. You have to authenticate the cookie contents.

The cookie is simply deleted when they log out or when it expires (in the latter case by the browser). No record is maintained anywhere of why it was deleted or even if it ever existed.
Yes... in the case of a deletion by the browser. Not necessarily in the case of an explicit log-out. In that latter case some sites may want to replace the log-in credentials stored in the cookie with something else. The point being that what MIGHT be put in that cookie isn't as important as understanding that deletion isn't the only option.

To do anything more than that standard process would involve Mark in a whole lot of work using permanent special purpose cookies, if it's possible at all.
Having some experience in this area, unless the implementation of lasting log-in cookies is made as complicated and with as many interacting options as hashtags are, it should be almost trivial to implement. If the cookie authenticates, update the cookie's expiration date. It's as easy as that.

Jim H

Join main@beta.groups.io to automatically receive all group messages.