[ic] {Spam?} Re: Re: long-lived sessions/carts?

Grant emailgrant at gmail.com
Wed Feb 22 00:49:33 UTC 2012

>> > >> I'm currently expiring sessions after 2 days:
>> > >>
>> > >> find /cat/tmp -type f -mtime +2 | xargs --no-run-if-empty rm && find
>> > >> /cat/tmp -depth -type d -empty -mtime +2 | xargs --no-run-if-empty
>> > >> rmdir && find /cat/session -type f -mtime +2 | xargs --no-run-if-empty
>> > >> rm && find /cat/session -depth -type d -empty -mtime +2 | xargs
>> > >> --no-run-if-empty rmdir
>> > >>
>> > >> Has anyone tried waiting much longer than that?  Maybe 30, 60, or even
>> > >> 90 days?  When I'm shopping online, I've noticed it's nice to add
>> > >> something to my cart and come back much later to find the item still
>> > >> in there without having to create an account.
>> > >>
>> > >> - Grant
>> > >
>> > > It's obviously a tradeoff with security.  Personally, I don't like to
>> > > keep session open for more than a day.  In some cases where I give users
>> > > the ability to edit content, I don't keep the sessions for more than a
>> > > couple hours.   Maybe when they save a cart, you can send them an email
>> > > with a unique key that will expire for that longer time?
>> > > Rick
>> >
>> > Hi Rick, so security is a consideration because an attacker could
>> > guess IP addresses and session keys in order to gain access to someone
>> > else's session?  Is there anything sensitive kept in a
>> > typical/standard IC session besides shipping and billing address?
>> >
>> > - Grant
>> >
>> Well, address info alone makes me cringe, and It is pretty easy to
>> hijack a session in many environments.  I also give users access to do
>> allot of things within their session including
>> creating/modifying/sharing content on the site, messaging other users,
>> etc...  I look at a "session" as only a first line of defense for a very
>> short time and kick people out ASAP.  If they want to save anything,
>> share anything, or create content, I give them a link to URL with a key,
>> or require them to log in.  Since creating an account is a pain in the
>> ass, You don't have to require them to log in if you just give them a
>> link to a URL for a given resource with a unique key... I usually hash
>> the session for that key and expire it much later (days or weeks etc...)
>> Rick
> One example is a site where I made a HTML5 feature where people could
> upload a photo of their face, and try on glasses.  If they want, they
> can also share their photo on social networks without logging in to IC.
> In order to do this, I used a hash of their session as part of the URL
> of that private photo.  This way, they could share the resource with
> others without logging in, and without worrying about session hijack.
> Rick

That makes a lot of sense for that sort of thing, but the unique URL
requirement isn't ideal for this since shoppers can drift in and out
of a store over any period of time without referring to a particular
URL.  I think saving the cart contents in a cookie or setting up cart
contents to expire much later than sensitive session information would
be ideal?

- Grant

More information about the interchange-users mailing list