tags:

views:

104

answers:

2
Q: 

logging in, logging out & session behavior

  1. When you log out of a web app, should ALL your session be logged out? When I log out of the web app from the public library, should it also log me out of the session I have on my home computer?

  2. When you choose "remember me" or "stay signed in" when logging in (to extend your session beyond the time your browser is open), does this get continuously updated each time you access the site? If it's originally set for 30 days, does that 30 days get extended when you access the site two weeks later?

I know there are no definite answers here; I'm just looking for some good considerations and expectations.

+1  A: 

When you log out of a web app, should ALL your session be logged out?

Generally, if the requirement is that a person be logged on to only one location at a time, it will log off the first computer when the account is accessed from the second computer. If the site allows a person to be logged on at multiple computers, only the computer that is logged off gets logged off, not the others.

When you choose "remember me" or "stay signed in" when logging in (to extend your session beyond the time your browser is open), does this get continuously updated each time you access the site? If it's originally set for 30 days, does that 30 days get extended when you log on two weeks later?

Yes, your 30 days starts over when you access the site again. This is how Yahoo Mail and several other well-known sites work.

Robert Harvey  2009-09-11 23:35:43
+1  A: 

Usually you are simply logged out from the system you are on. The session is generally based on either cookies or a tag attached to the url depending on setup. So any login/logout you do really only affects the individual machine/browser that you are using.

Logging the user out from all other computers would be a bit harder to implement, and I can't think of many situations where it would be useful.

As for the remember me feature- I'd say that the correct behavior is to extend the expiration with every visit.

apocalypse9  2009-09-11 23:36:49
I guess I should have explained -- I'm storing the session IDs in a DB, so I have the options of deleting all sessions for that user when they log out from any of them (they'd potentially still have a session cookie, but it would be invalid).
scotts  2009-09-11 23:57:09
Ah, alright- I wasn't thinking of that approach. Still if you have the option I'd definitely only remove the current session. It is generally more convenient and users expect it to work that way. Obviously there are exceptions to every rule- but if there is no compelling reason to handle logouts on a per user basis I wouldn't
apocalypse9  2009-09-12 00:51:27

related questions

Which resolution to target for a Mobile App?
iPhone app that access the Core Location framework over web
Displaying version of underlying software in footer of web app?
How Did You Decide Between WISA and LAMP?
What strategies have you employed to improve web application performance?
What skills do you need for proper UI/Interaction/Functional design in Web Apps?
Storing logged in user details
How do you unit test web apps hosted remotely?
Broken chart images in Crystal Reports in web application
Best Way to Begin Learning Web Application Design
JRuby / Rack deployment
How to affordably release a Web App
Best practices for managing and deploying large javascript apps
Building Standalone Applications in JavaScript
iPhone web applications, templates, frameworks?
How do you stress test a web application?
RSS feeds from Gallery2
Recommendation for straight-forward python frameworks
Graphing JavaScript Library
What to use for login ID?
What's your opinion on using UUIDs as database row identifiers, particularly in web apps?
Implementing an online ordering system for a restaurant/cafe.
Web App Beta
What Hosting Service is best for Django applications?
How to make subdomain user accounts in a webapp