[ic] {Spam?} Re: long-lived sessions/carts?

Rick Bragg lists at gmnet.net
Fri Feb 17 19:13:18 UTC 2012

On Fri, 2012-02-17 at 09:55 -0800, Grant wrote:
> >> I'm currently expiring sessions after 2 days:
> >>
> >> find /cat/tmp -type f -mtime +2 | xargs --no-run-if-empty rm && find
> >> /cat/tmp -depth -type d -empty -mtime +2 | xargs --no-run-if-empty
> >> rmdir && find /cat/session -type f -mtime +2 | xargs --no-run-if-empty
> >> rm && find /cat/session -depth -type d -empty -mtime +2 | xargs
> >> --no-run-if-empty rmdir
> >>
> >> Has anyone tried waiting much longer than that?  Maybe 30, 60, or even
> >> 90 days?  When I'm shopping online, I've noticed it's nice to add
> >> something to my cart and come back much later to find the item still
> >> in there without having to create an account.
> >>
> >> - Grant
> >>
> >> _______________________________________________
> >> interchange-users mailing list
> >> interchange-users at icdevgroup.org
> >> http://www.icdevgroup.org/mailman/listinfo/interchange-users
> >>
> >
> > It's obviously a tradeoff with security.  Personally, I don't like to
> > keep session open for more than a day.  In some cases where I give users
> > the ability to edit content, I don't keep the sessions for more than a
> > couple hours.   Maybe when they save a cart, you can send them an email
> > with a unique key that will expire for that longer time?
> > Rick
> Hi Rick, so security is a consideration because an attacker could
> guess IP addresses and session keys in order to gain access to someone
> else's session?  Is there anything sensitive kept in a
> typical/standard IC session besides shipping and billing address?
> - Grant

Well, address info alone makes me cringe, and It is pretty easy to
hijack a session in many environments.  I also give users access to do
allot of things within their session including
creating/modifying/sharing content on the site, messaging other users,
etc...  I look at a "session" as only a first line of defense for a very
short time and kick people out ASAP.  If they want to save anything,
share anything, or create content, I give them a link to URL with a key,
or require them to log in.  Since creating an account is a pain in the
ass, You don't have to require them to log in if you just give them a
link to a URL for a given resource with a unique key... I usually hash
the session for that key and expire it much later (days or weeks etc...)

More information about the interchange-users mailing list