I have developed a web application and I am using a cookie to store the users ID.
My question is how long should I set the expiry for? Should I aim to set it as short as possible?
For example:-
my application is to do with time and attendance so I could assume that the maximum time away from the app would be on a 2 week holiday so I could set it for 3 weeks or 1 month.
Or should I just set it to 1 year, 10 years? Do developers have some sort of ethical responsibility to keep machines cookie free when they can or are people not bothered about this kind of thing?
I think if your application contains any sensitive data, you should offer a choice to your users, like ‘Remember me’.
We have a business critical application, where users can have invoices and sensitive datas. One year ago we even made a two factor login required for all users.
So it is depending what is there to secure? Or an other question if somebody is going for a holiday like 2 weeks is it so bad that he has to relogin when he arrived home?
Generally it is just a comfort feautre I think.
About the ethical question, if you have personal and important data in your system, you should try to secure it by one of the best technology in present days (I mean f.e. storing passwords), but if you want to give comfort to your user, let them use a “Remember me” function, because then it is not your deceision.