[Mailman-Developers] Cookies

[John Viega]

I installed Scott's patches for confirmation and admin logins (thank
god for ediff-buffers).  I have a couple of questions mainly for
Scott, but I think other people might be interested in discussing
them.

First, I don't know what the expiration time for cookies is, but the
cookie didn't go away when I shut down my browser.  Do you think
that's good behavior?  I'd like to not be implicitly logged in if
someone else starts up my browser.  Also, I've seen some sites that
log people off automatically after 15 mins of inactivity on that site.
Do you think that's a good idea?

Second, if you don't have cookies on, changes don't get made.  You get
sent back to the login screen, and when you log back in, everything is
the same.  Should cookies really be required?  Something that could be
done to offer similar functionality yet not require cookies would be
to have an "enter your password" box after the initial login, and put
the password in the proper field as default text.  While that may not
be incredibly secure, it's not much worse than sending a plaintext
password via httpd the first time only (although the password will be
in the page source).

Also, perhaps there should be a way to explicitly log out?
I can't get logged out, even by turning off cookies!


John