Managing long-term user sessions

Question

For sites like Facebook and stackoverflow where you can revisit the site after a month of absence and still be logged in - do these sites simply set a long session timeout and then maintain your session data for that period or do they use some other technique to enable you to stay signed in for extended periods of time?

I have a site with a similar requirement and would like to know what others are doing in these instances. Obviously this is a bad approach for any site that allows access to sensitive information and Facebook and others have received criticism to that extent. For my purposes my application doesn't provide access to user information beyond first/last name.

Thanks in advance for the input!

Answer 1

No, they do not use a long-term session. This would build up to be too much of a memory hog on the server, and sessions clear on the client end as soon as the browser is closed.

Instead, they use a persistent cookie, and use that to identify the visitor on return visits.

Gmail covers this in their documentation. This is a fairly common practice. (Whether it's a good practice for sites that need to be secure is open for debate.)

You can find hundreds of examples of sites that have similar doumentaiton about the use of this method by googling:

cookie "remember me"

You didn't mention your platform (ASP.NET, php, etc) but for ASP.NET, daniweb covers how to do this: http://www.daniweb.com/web-development/aspnet/threads/30505 Smilar guidance exists for most platforms.