Skip to main content
Topic: remove auto-expiring session option at log in (Read 1466 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

remove auto-expiring session option at log in

My "philosophy" is that things that aren't essential or frequently used should be a)easily removable and b)probably not enabled by default.
And I think that "remember me" or "how long you want to stay logged in" feature on a log-in screen falls in that category.
Maybe I'm weird, but I don't think I've ever in my entire life wanted my session/cookies to automatically expire after some time. OTOH, I've been annoyed by this feature many many times.

If someone doesn't want to be logged in anymore, they can just... log out. Or visit the website in a private/incognito browser window in the first place. It's never been easier. The EU cookie law also helped to raise awareness among the general population.

And I just opened the Twitter, Facebook and Gmail log in pages. None of them has expiring session options. You might say it's because they want to track you, fair enough. But my point is that people are used to this behavior, it's standard for the most popular websites. So I think having such checkboxes or drop down menus in a forum UI contributes to clutter and confusion.

And of course it's not just ElkArte. Other forums have this too, and they're all wrong IMO.

Re: remove auto-expiring session option at log in

Reply #1

I will agree that the time-based approach (after an hour, a day, a week) whatever that SMF had historically... that should have gone a while ago. I don't think I know anyone who ever had that use case. Not even me browsing forums from a work computer at lunchtime, back when incognito mode didn't exist, bothered to use the 'login for an hour'. I'd log out when I was done.

I'm torn though on the 'remember me' option because the mechanics are a bit different for that. Facebook, Twitter etc. might not because they're pretty personal, and one can presume that a) you're probably logging into those from your personal device and b) if you're using someone else's device to log into these things you're probably taking enough care about it after.

This isn't 100% true, there are plenty of cases of people who've used shared devices and forgotten to log out afterwards. I remember seeing it one time where someone had gone into the Apple store in my hometown, used an iPad to check their Facebook and left it logged in. (Being a kind soul, I logged them out without tampering with their account.)

Forums though occupy a slightly different ground whereby they're generally less personal and if you do happen to log into a forum on a shared/not-personal device, chances are you're less likely to be as diligent.

I dunno. I definitely think there's a value still in having that option - as long as it's just the tickbox - and if not, as long as you're expected to reauthenticate occasionally (like Patreon does, roughly once a month from what I've seen) that's a reasonable precaution.

As for 'the EU cookie law taught...' the only thing it taught people was to "press OK to make the annoying banner to go away", it has not done anything to actually teach people about privacy - and guaranteed it did nothing to encourage site owners to actually cut down on cookies like analytics, it just made them figure out how to spin it as essential.

Re: remove auto-expiring session option at log in

Reply #2


Quote from: Arantor – I'm torn though on the 'remember me' option because the mechanics are a bit different for that.
Isn't that just equivalent to the "forever" time option?

And I should have searched better, because there's this topic and "minutes to stay logged in" is about to be removed.

Still, I would like to see even the checkbox be optionally removable. Sure, there's a possibility that the checkbox can prevent a catastrophe with a logged in session on a gardening forum. :) But I'd rather run that risk than annoy people the other 99.99% of the time with UI clutter.
Or if you keep it, at least check the "remember me" (forever) by default please. Or at the very least add an option to make it checked.

Re: remove auto-expiring session option at log in

Reply #3

As you noted the minutes to bla bla has been removed in 2.0 and only the remember me checkbox remains.   The extra login bar in the header has also been removed as its just redundant clutter.

I'm with Arantor, I still see the need for the "opt in" checkbox to stay logged in,  I don't see that going away.   Setting it as the default maybe an option, have to think abut that.

Re: remove auto-expiring session option at log in

Reply #4

Quote from: Unuser – And I think that "remember me" or "how long you want to stay logged in" feature on a log-in screen falls in that category.
Maybe I'm weird, but I don't think I've ever in my entire life wanted my session/cookies to automatically expire after some time. OTOH, I've been annoyed by this feature many many times.
I think what's really intended (although I don't much care for that either) is if you phrase it more like "x minutes/hours after last activity." Then again, the distinction is unlikely to matter except for values under 60 minutes.

Re: remove auto-expiring session option at log in

Reply #5

Thing about the “forever” option is that it’s actually longer lived than you might think. Assuming the same code as in SMF (and I’m on mobile now so can’t easily check), the cookie for forever stays there for 6 years or until you log out.

I don’t know if that’s necessarily a good thing or not.

Re: remove auto-expiring session option at log in

Reply #6

There's one advantage to an auto-expiring log-in, although there's always the debate as to the ideal temporal duration, which makes "user-selectable" justifiable.

On my forum (1.1.6) I've set the default expiration to 240 minutes, because virtually all my users are drawing social security and we're lucky if we can remember why we logged-in in the first place. :)

After some period of time bypassing the credentials, you forget what they were, and then at some point later "out and about' and without your own 'terminal device' and thusly using a different 'terminal device', have to screw around with password reset and such, and inevitably you can't remember your (auto-filled) email login password either to get the new reset password using the new terminal. At that point your only option is to just forget it, go outside and play (which may not be a bad thing).

But yea, that's a "personal issue" and I'm not advocating anything one way or the other, I'm just sayin...

// Deep inside every dilemma lies a solution that involves explosives //

Re: remove auto-expiring session option at log in

Reply #7

You forgot the option of they signed up with an email from their former work address and now when they try to reset it, welp they no longer have that email.  That is part of the reason the "contact us" option was added, but in my experience that has, lets just say not worked out as intended :P

Its been a while, on a non scfi geek forum, since I have seen the work "temporal" used, kudos!

If your members are depressed about SS, here is something to cheer them up and aspire to (from the mind of George Carlin)

QuoteI want to live my next life backwards:
You start out dead and get that out of the way.
Then you wake up in a nursing home feeling better every day.
Then you get kicked out for being too healthy. Enjoy your retirement and collect your pension.
Then when you start work, you get a gold watch on your first day. You work 40 years until you're too young to work.  You get ready for High School: drink alcohol, party, and you're generally promiscuous.
Then you go to primary school, you become a kid, you play, and you have no responsibilities.
Then you become a baby
Then you spend your last 9 months floating peacefully in luxury, in spa-like conditions – central heating, room service on tap
Then ... you finish off as an orgasm.

Re: remove auto-expiring session option at log in

Reply #8

Quote from: Spuds – You forgot the option of they signed up with an email from their former work address and now when they try to reset it, welp they no longer have that email.  That is part of the reason the "contact us" option was added, but in my experience that has, lets just say not worked out as intended :P

Its been a while, on a non scfi geek forum, since I have seen the work "temporal" used, kudos!

If your members are depressed about SS, here is something to cheer them up and aspire to (from the mind of George Carlin)

QuoteI want to live my next life backwards:
You start out dead and get that out of the way.
Then you wake up in a nursing home feeling better every day.
Then you get kicked out for being too healthy. Enjoy your retirement and collect your pension.
Then when you start work, you get a gold watch on your first day. You work 40 years until you're too young to work.  You get ready for High School: drink alcohol, party, and you're generally promiscuous.
Then you go to primary school, you become a kid, you play, and you have no responsibilities.
Then you become a baby

Fortunately I own my own domain (and email addy), and I get posts in email so I get the full quote   :D

Which makes me wonder if "finishing off as an orgasm" would mean, like getting an atomic wedgie at the moment of death, I'd be stuck with it for eternity (another Carlinism?)..  Certainly better outcome, although I suppose PGAD would get old after awhile too.  :-[

(Meanwhile, might want to check out that displayed quote length limitation. Scroll-bars? - Although nested quotes w/scroll-bars could break things bad I expect..).  :P

(Edit:  aaaaaannnnnddddd ...it's fixed!)
Last Edit: April 07, 2022, 07:51:14 am by Steeley

// Deep inside every dilemma lies a solution that involves explosives //