Comment 4 for bug 568106

Gary Poster (gary) wrote :

I think we ought to do what Stuart suggests, quickly.

I have some inconclusive thoughts on a longer-term solution, following.

Since we are hoping to switch to HTTP for much of Launchpad, we have been contemplating making HTTP session cookies last only a day or less (while HTTPS session cookies might last much longer, as they do). This would mitigate the risk of stolen session cookies.

If we did that, when an OP still thinks that a user is logged in and Launchpad has timed out an HTTP session, I would like the OP to re-authenticate the Launchpad session without user interaction. That is, it would just do the redirect dance *without* requiring the user to click "OK" again. This would make more frequent Launchpad HTTP re-authentication much less painful.

However, if a user explicitly logs out of Launchpad, it would be reasonable to force the OP to re-authenticate the next time the user logs in.

Is there any way to make this story work, other than the short-term solution we will be implementing per Stuart's suggestion? Does anyone disagree on my goals?

I don't see