[Mailman-Users] What would your dream Mailman web interface look like?

Richard Damon Richard at Damon-Family.org
Fri Apr 10 05:29:02 CEST 2015 

On 4/9/15 8:49 PM, Peter Shute wrote:
> Richard Damon wrote:
>
>>> It would be helpful to me if it somehow allowed an iOS
>> browser to stay logged in. I haven't found one that will -
>> something to do with cookies expiring when the app is in the
>> background, I think.
>>> Peter Shute
>>>
>> My understanding is this is a basic problem about using
>> session cookies.
>> In iOS, the browser "session" can end even without "closing"
>> the browser, buy switching to another app, and the OS
>> deciding it needs the memory from the browser so it unloads
>> it, causing the cookies to disappear. Perhaps using a
>> "long-lived" login cookie, but that has other security
>> issues, and I am not positive that iOS browsers keep those
>> either (and many more people have these disabled by default).
> I can stay logged in for months on some other web sites, so it can be done. I guess it's just a matter of how adopting the same methods would affect security.
>
> What I would normally do in cases like this is save the password in the browser, but for some reason Safari and other browsers don't offer that option for mailman logins - maybe something to do with the form only asking for a password, and not a username? If getting the login to survive going into the background isn't appropriate then doing whatever it takes to make the browser realise it's a login page would be a good second best.
>
> That said, I haven't tested how long a Safari login will survive for a while now. Maybe the latest iOS does better.
>
> Peter Shute
>
Web sites that keep you logged in for a long period of time tend to use 
a "long-lived" cookie to validate you (in addition to the session cookie 
like Mailman uses). Normally this cookie holds a token that the site 
will accept as a valid log in for you. The security risk is that if 
something gets hold of this cookie, then it too can log into the site, 
and thus presents a security risk. How big a risk depends on a number of 
factors.

Yes, I suspect that the lack of a user name on the admin pages is what 
trips up most password memory systems.

-- 
Richard Damon

More information about the Mailman-Users mailing list