If you are concerned with cookie security, you should always use SSL encryption. The same username is included in the page output, for example, so the fact that it’s included in the cookie as well isn’t a information leak as such.

The cookie uses a cryptographic hash that has a limited timespan, the default is 12 hours, after which the cookie will no longer be accepted.

You can lower this timeout:

1. go to the ZMI of your plone instance

2. Find the acl_users folder, then the session plugin:

   

3. Go to the Properties tab (right-most tab)

4. Change the “Cookie validity timeout (in seconds)” property to a new value.

Take note of the “Refresh interval (in seconds, -1 to disable refresh)” value below it though; whenever the signed cookie is older than the refresh interval, a new cookie is generated, to refresh the cookie lifetime. So, by default, once every hour, you are issued a new cookie that is valid for 12 hours.

You don’t want your cookie validity timeout to fall below the refresh interval. If you set these values very low, you may want to think about using a periodic AJAX ‘ping’ request to keep the cookie fresh while the user is still using the site.

In fact, plone.session already includes a facility to implement this ping for you. Simply enable it by installing the “Session refresh support” add-on in the control panel (“Site setup” > “Add-ons” > check “Session refresh support 3.5”, click “Activate”). This will install the javascript library for you, and it’ll ping the server every 5 minutes, provided there has been some mouse or keyboard activity while the current page is loaded.