Tim Lesher wrote:
The first thing I can think of that some applications would want is a "remember me on this computer" cookie that allows a user to choose to automatically log in. The duration of the cookie should be configurable by the application.
The expiration of the cookie is entirely configurable. If you specify a 0 timeout, the cookie will never expire and your application will always remember visitors.
Certainly, it's not appropriate for all applications--some will not want to use it, for security reasons. But it's common enough, and enough of a pain to implement every time, that it would be a good addition to the core functionality.
Actually, one of the features in the TurboGears identity module is the ability to expire current identity sessions. So let's say you permit permanent logins, you *will* have the option to open the admin console and pick the user and manually expire his identity session -- thereby voiding his cookie.
I still don't expect many developers to enable permanent login, but it is definitely available.
-- Jeff Watkins http://metrocat.org/
