Last modified: 2014-10-30 20:05:45 UTC
For the API Login, it would be nice if there was a modifiable session time limit. For example, a parameter lgsessionlimit=300 would mean that the sessionid would be valid for only 700 minutes (seconds would be silly). This would be primarily a security enhancement and make session hijacking more difficult if a bot op forgot (or couldn't) logout.
Unless I'm missing something, there doesn't seem to be core functionality for this yet...
(In reply to Sam Reed (reedy) from comment #1) > Unless I'm missing something, there doesn't seem to be core functionality > for this yet... time limited token support was added with Gerrit change #156336 Maybe with that feature it is possible to time limit the login token (or allow time limits for other tokens with a time param for meta=tokens)
(In reply to Umherirrender from comment #2) > time limited token support was added with Gerrit change #156336 > Maybe with that feature it is possible to time limit the login token (or > allow time limits for other tokens with a time param for meta=tokens) The time limit for the time-limited tokens is determined by whatever uses the token, not by what issues it.