0

I have developed a web application and I am using a cookie to store the users ID.

My question is how long should I set the expiry for? Should I aim to set it as short as possible?

For example:- my application is to do with time and attendance so I could assume that the maximum time away from the app would be on a 2 week holiday so I could set it for 3 weeks or 1 month.

Or should I just set it to 1 year, 10 years? Do developers have some sort of ethical responsibility to keep machines cookie free when they can or are people not bothered about this kind of thing?

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
Matt Wilko
  • 26,994
  • 10
  • 93
  • 143
  • You generally don't want to store a user id in a cookie at all. Use a session cookie. – Matt Ball Aug 23 '12 at 13:19
  • It is a userID (actually a clock number) for my application so the user will know this anyway - it is not sensitive if that is what you mean. It just means they don't have to keep typing it in. – Matt Wilko Aug 23 '12 at 13:20

1 Answers1

2

I think if your application contains any sensitive data, you should offer a choice to your users, like 'Remember me'.

We have a business critical application, where users can have invoices and sensitive datas. One year ago we even made a two factor login required for all users.

So it is depending what is there to secure? Or an other question if somebody is going for a holiday like 2 weeks is it so bad that he has to relogin when he arrived home?

Generally it is just a comfort feautre I think.

About the ethical question, if you have personal and important data in your system, you should try to secure it by one of the best technology in present days (I mean f.e. storing passwords), but if you want to give comfort to your user, let them use a "Remember me" function, because then it is not your deceision.

András Ottó
  • 7,605
  • 1
  • 28
  • 38