-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the $CookieLifeTime default to 30 minutes to match $sessionKeyTimeout. #2408
Change the $CookieLifeTime default to 30 minutes to match $sessionKeyTimeout. #2408
Conversation
Are there any problems if |
Yes, that is a huge problem. Basically, what should really be done is the |
Furthermore, 3 hours is an excessive timeout that should certainly not be the default, and no one really should use a timeout that is that long. That has security vulnerability written all over it. |
37b6361
to
0f38bb4
Compare
Basically, the one case that should never happen is for The other case is not as serious, but still shouldn't be. There is no point in the browser hanging on to a cookie that won't work. Perhaps I should do as we discussed in the meeting on Wednesday and take this to where it should be. That is delete the |
The one case where you would want the timeout to be long (like 3 hours) would be the case that you have a test with a large number of problems per page in which case you might expect the user to sit on one page for a long period of time without any requests being sent to the server. Of course that use case is not recommended (anymore at least). However, instructors don't always adhere to that recommendation. So that would be a case that you would set |
Prior to 2.17 I would have argued for a longer default timeout because of this. Since that use case is no longer recommended I am okay with a shorter default. If people are using long, monolithic quizzes they can manually set a longer timeout for their course. I also think that getting rid of |
If the two things are becoming one, let's make a new thing with a new name, like How terrible is the following idea? When entering a timed quiz or loading a timed quiz page, everywhere that This would temporarily make |
0f38bb4
to
4a37a02
Compare
…Timeout. The cookie lifetime should be the same as the session timeout. It doesn't make sense to keep the cookie any longer than the session is valid for. That only results in stale cookies sitting unusable in the browser cache. Should we consider increasing both of these settings to 1 hour instead of 30 minutes? I don't think it would be a good idea to increase the default any more than that. Note that the time limit is extended each time that a request is sent to the server. So a 30 minute cookie and session lifetime means that if there must be no communication between the client and server for a full 30 minutes before the session expires. Also correct the $CookieSameSite documentation in localOverrides.conf. I think this was a copy and paste issue.
4a37a02
to
18add65
Compare
I am closing this in favor of #2412 which is much better. |
The cookie lifetime should be the same as the session timeout. It doesn't make sense to keep the cookie any longer than the session is valid for. That only results in stale cookies sitting unusable in the browser cache.
Should we consider increasing both of these settings to 1 hour instead of 30 minutes? I don't think it would be a good idea to increase the default any more than that. Note that the time limit is extended each time that a request is sent to the server. So a 30 minute cookie and session lifetime means that if there must be no communication between the client and server for a full 30 minutes before the session expires.
Also correct the $CookieSameSite documentation in localOverrides.conf. I think this was a copy and paste issue.