feature: cookie/db valid session-period

[mokaspar]

right now, the cookie-expiration and the maximum-valid period of that cookie stored in the db of a successfull authentication are the same. it would be nice to have them spilt.

to be more precise, i give an example: every time the user closes his browser, he has to re-authenticate but as long as he doesn't close his browser, he doesn't have to re-authenticate for - say - the next 24h. right now, there is no way to make mod_auth_openid to behave like that.

[bmuller]

I don't think I understand what you're saying. What is the specific modification you are suggesting? Is it to just remove an expiration time from the cookie and only expire sessions in the DB?

[mokaspar]

sorry for my english:-(

exactly! the reason, why i would prefer this: we use open-id as a single-sign-on and because of that, our users normally just remember to log-out of our IdP but not of the RPs. just because i don't see the current state unfortunate, i doubt, that everyone likes it my way and therefore i would suggest to add another configuration-option...