views:

104

answers:

2
  1. When you log out of a web app, should ALL your session be logged out? When I log out of the web app from the public library, should it also log me out of the session I have on my home computer?

  2. When you choose "remember me" or "stay signed in" when logging in (to extend your session beyond the time your browser is open), does this get continuously updated each time you access the site? If it's originally set for 30 days, does that 30 days get extended when you access the site two weeks later?

I know there are no definite answers here; I'm just looking for some good considerations and expectations.

+1  A: 

When you log out of a web app, should ALL your session be logged out?

Generally, if the requirement is that a person be logged on to only one location at a time, it will log off the first computer when the account is accessed from the second computer. If the site allows a person to be logged on at multiple computers, only the computer that is logged off gets logged off, not the others.

When you choose "remember me" or "stay signed in" when logging in (to extend your session beyond the time your browser is open), does this get continuously updated each time you access the site? If it's originally set for 30 days, does that 30 days get extended when you log on two weeks later?

Yes, your 30 days starts over when you access the site again. This is how Yahoo Mail and several other well-known sites work.

Robert Harvey
+1  A: 

Usually you are simply logged out from the system you are on. The session is generally based on either cookies or a tag attached to the url depending on setup. So any login/logout you do really only affects the individual machine/browser that you are using.

Logging the user out from all other computers would be a bit harder to implement, and I can't think of many situations where it would be useful.

As for the remember me feature- I'd say that the correct behavior is to extend the expiration with every visit.

apocalypse9
I guess I should have explained -- I'm storing the session IDs in a DB, so I have the options of deleting all sessions for that user when they log out from any of them (they'd potentially still have a session cookie, but it would be invalid).
scotts
Ah, alright- I wasn't thinking of that approach. Still if you have the option I'd definitely only remove the current session. It is generally more convenient and users expect it to work that way. Obviously there are exceptions to every rule- but if there is no compelling reason to handle logouts on a per user basis I wouldn't
apocalypse9