Re: Can we change auto-logout timing on wiki.postgresql.org?

On Sat, May 4, 2013 at 08:19:38PM +0200, Stefan Kaltenbrunner wrote:
> On 05/04/2013 08:08 PM, Bruce Momjian wrote:
> > On Sat, May 4, 2013 at 07:44:20PM +0200, Stefan Kaltenbrunner wrote:
> >> [...]
> >>> I decided to look into this again and I see my preferences aren't set
> >>> for me to get emails for changes on my watch list:
> >>>
> >>> E-mail me when a page on my watchlist is changed
> >>>
> >>> I am not sure of the value of a watch list if you don't get email
> >>> notifications. If I try to enable that and save, I get a failure:
> >>>
> >>> There was either an authentication database error or you are not
> >>> allowed to update your external account.
> >>
> >> hmm thanks for the report - that seems to be a (fairly) recently
> >> introduced buglet in our custom authentication backend, it should
> >> however not have resulted in any lost functionality just the above error
> >> message. Should be fixed now anyway.
> >
> > OK, I was now able to add email notification for watch list changes.
> > Let's see if I get any email when someone modifies something. It might
> > take a few weeks before I would know.
>
> hmm weird - afaiks the error message should have been cosmetic only, are
> you saying that it seems to have actually prevented the notifications?

Oh, it certainly prevented me from modifying my preferences, but it
certainly works now.

> >>> I am not sure when that setting was changed, but I certainly didn't do
> >>> it. I bet that is why I don't get wiki change notifications. Does
> >>> anyone else get notifications?
> >>
> >> I do ;)
> >
> > Oh, that's interesting. Did you have those buttons checked in your
> > preferences? I did not.
>
> yeah i had them (but I'm pretty sure I had manually checked them)

OK. That explains it then.

> >>>> the ~20min is not a MW default, it is one from debian about cleaning up
> >>>> session data (again a protection machanism, http is stateless and you
> >>>> don't get a "user logged off" thingy in general so we need to remove
> >>>> session data in some interval to not end up with millions of session files).
> >>>> And yes as said above - we have speculated only so far on what exactly
> >>>> the session timeout mechanics are and if the settings we are currently
> >>>> dealing with actually control what people complain about - I'm still not
> >>>> sure if you are saying it does or not?
> >>>
> >>> I have no idea.
> >>
> >> hmm not sure I get that - if you restart your browser daily how are the
> >> session cookies even get preserved, or do you use one of these "restore
> >> session" features?
> >
> > Uh, well, I have the TODO list as one of my default startup tabs. Most
> > websites can still use old cookies on a browser restart, e.g. Gmail,
> > Slashdot.
>
>
> hmm pretty sure that browsers are supposed to clear session cookies if
> they are restarted otherwise you will create bad security issues.
> Consider logging in to a some site with personal information, close your
> browser hand over your laptop to somebody in the family for a quick
> browsing session and he will automatically log in to whatever site you
> been at before...

Well, if I just go to gmail.com, it certainly knows I am bmomjian. If I
go to slashdot.org, it knows I am bmomjian too. I have to explicitly
log out if I want be logged out.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +