Hi Sanford, On Fri, Sep 27, 2013 at 7:57 AM, Sanford Whiteman < swhitemanlistens-softw...@cypressintegrated.com> wrote:
> > Users who are concerned for this situation should disable it. Users > > who are concerned security should accept this case. > > I assume "users" are as we understand them here, i.e. me. > > But as a developer-user I would likely want to empower my end-users to > turn off this feature themselves. With high-volume sites (not that I > really have any anymore, but a guy can dream) there isn't going to be > a one-size-fits-all regarding connection quality, but there can be a > default INI setting and then a function that we can call to override > it. Paranoid users will turn/leave it on.... any user in a sketchy > connection situation will turn it off (per session or for all their > future sessions). > > Which is kind of why this is sounding more and more like a nice > discussion... about a userland solution. Besides the issue with unstable connection, we have URL based session. When URL based session is used, this feature should be disabled as pages are cached by browsers. Even if this change is made, it would not be a default and there would be INI for client IP header or variable. So no need to worry for being default. (Did I missed "not" for "not a default" in previous mails? If I did, my apologies.) BTW, if connection is unstable and an app force user to logout, is it going to be a problem? It would depend on message displayed, but I guess users think it is due to unstable connection. If mobile apps are native, almost all apps store username/password or some credential that automatically reconnect to service. Therefore, I suppose it wouldn't become issue. I might be too optimistic, though. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
