Re: Fixing cookies (Re: Some half-baked thoughts about cookies.)

On Wed, Aug 29, 2018 at 09:52:51AM -0700, Daniel Veditz wrote:
> On Wed, Aug 29, 2018 at 2:05 AM, Martin J. Dürst <duerst@it.aoyama.ac.jp>
> wrote:
> 
> > On Tue, Aug 28, 2018 at 10:02:34AM -0700, Daniel Veditz wrote:
> >
> >>
> >>> No asking! Opinionated browsers could
> >>> [impose a shorter max-age] today if they wanted to
> >>>
> >>
> > From everything I have heard about users and browsers, my guess is that
> > users would blame the browser and switch to another browser.
> >
> 
> If it's too short, sure. The length would be a decision the browser vendor
> ought to make carefully based on data and user studies. The default would
> no doubt have to be longer than the more privacy-conscious users would want
> which is why a user-adjustable setting would be nice. I'm confident users
> wouldn't even notice a cap of a year, for example, and that's a lot shorter
> than the many "expires in 2038" cookies I see. What about a month? Probably
> fine. A week? I think users would start noticing and get annoyed. But
> that's just guessing and such a decision shouldn't be based on guesses.

Sure and really, expiring without activity and with activity are two
different things. From what I've seen and leading me to implement it in
haproxy, people are willing to support shorter inactivity times if they
have longer expiration times with regular activity. Typically one week
will be too short for many users as a maximum duration and many will be
fine with a month. But many users would be fine with one week (or even
3 days) of inactivity with a cap to one month in any case. This is a
safeguard for them that all the random sites they visit by accident or
after a search will forget them faster. The sites they care about are
visited often.

Willy

Received on Wednesday, 29 August 2018 17:31:03 UTC