Quote:
Originally Posted by u-Bob
minimum for a cookie: 3 days imho.
maximum for that server side stored info: half an hour. (Otherwise you are encouraging cookie stuffing attacks).
|
The way we do it server stored data time out is identical to cookie data
as both are being compared to verify cookie data is not manipulated.
Anything that gets changed to the cookie would result in negative match
with the server side stored data which results and cookie data getting ignored
and we're getting alerted for possible fraud.
