Thread: Unusual password request
View Single Post

  #5 (permalink)  
Old 05-10-2008
Jerry Stuckle
 
Posts: n/a
Default Re: Unusual password request
Chuck Anderson wrote:
> sheldonlg wrote:
>> Chuck Anderson wrote:
>>
>>> sheldonlg wrote:
>>>
>>>> I got an unusual request. One customer wants a password/access made
>>>> available to a user that is valid for only, say, ten minutes. I
>>>> know that I can enforce this by having a revalidation of the
>>>> password every time the user changes a page. This, though, seems
>>>> like a a lot of overhead in having to make a db call every time a
>>>> page is changed.
>>>> I also thought about setting a timer for ten minutes, and on
>>>> firing of that timer unset a session variable that I would have set
>>>> when the user is given this temporary access. Doing this, I would
>>>> only have to check at the top of every page that the session
>>>> variable is set- no big deal.
>>>>
>>> You need to validate that the user is logged in (session) on every
>>> page requiring password access anyway, right? So store the login time
>>> in a session variable and if it has timed out, ... log them out. I
>>> don't see the problem.
>>>
>>
>> Man, it is really trivial after all. Thanks. (Now why didn't I think
>> of such an obvious solution?)
>>
>>
>>
>>>> What do you folks think about this request?
>>>>
>>> Seems rude to me.
>>>
>>
>> Huh? I hope you don't mean me. If you mean the client, what he wants
>> to do is give a "taste" of the site before the user has to subscribe.
>>
>
> You said "I got an unusual request. ........ " And later asked ...
> "What do you folks think about this request?"
> So ..... what do you think?
>
> Logging someone out after ten minutes seems rude. If I got a phone call
> ..... had to break away for some reason ..... was simply confused for 8
> minutes ..... and then that was it; I don't think I'd be coming back.
> Restricting usage somehow rather than time at the site seems a better idea.
>

I agree. Better to give them access to a subset of what's available,
with information on what they're missing.

Plus, there are ways around it - for instance, when my session expires,
just create another user (so maybe I have to clear cookies in my
browser). And if it requires verification, I can create 5,000 gmail
accounts and be there for months.

But more likely I'll never come back.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Reply With Quote