Originally Posted by
ExpertFlyer Voice
You're misunderstanding my response. "keep me logged in" vs "keep an active session on the server" are not two different things, they are technically linked and changing one requires us to change the other to ensure continuity and to not introduce user confusion when, say for example, a Refine Query link is clicked and a blank search form is shown instead because the users session information has timed out, or they are sent back to the page you see after login, etc.
If you require a more technical response, feel free to email us at
[email protected] and we can talk about this off-line since you can't really know what can/can't be done or how without knowing how our system works. Nothing is "impossible", everything is just a trade-off or a matter of priority, as is the norm for a small business.
I don't actually want a more technical response (ie, further explanation about why my request won't be addressed). I'd like EF to consider ways which this request COULD be accommodated. Things like the Refine Query link don't work after 45 minutes as it is (dump back to login), so I'm not sure what experience exactly would be worse than it is today.
In case it's not clear: YES, it is preferable to go back to the home page, or a blank search page, or ANY logged-in page after 45 minutes of idle time rather than the current behavior of a login prompt.
Originally Posted by
inlanikai
There is a big non-technical difference between the two sites. FT is a free-service with no information of inherent value about the user stored in their profile. EF is a subscription based service with sensitive information about the user accessible to one who has access to the logged in account. To me, the requirement to log in every time is a security feature I welcome regardless of whatever "back-end" technical issues there may or may not be. My online bank, credit card sites, AA.com, and other sites that hold sensitive information, do not offer the option to keep me logged in and will in fact time out and log me off after some short period of inactivity.
We've had the "security" discussion as well. If you don't trust who uses the computer, don't enable auto-login. But denying auto-login to everyone because of some nebulous security concern is about as ridiculous as most TSA policies. If it's important to you to constantly be logged out, no one is suggesting forcing you to stay logged in, or removing the log out feature. All we want is the CAPABILITY to stay logged in and not have to constantly log in all day.
Originally Posted by
aktchi
This is a valid pint. I too tend to be more concerned about security than convenience. For example, after experiencing just how casually credit cards are handled, I not only leave mine unsigned at the back, but also black it out (so nobody else can sign it). This way, for any nontrivial charge, they give me a confused look and ask to see my ID.
I have also blacked out the CVC code at the back (and noted it down separately).
I'm not sure what security you think you're gaining. Every merchant that accepts a credit card is not a handwriting expert, and the signature panel is not there to confirm your identity anyway. It's there to ensure you have agreed to the credit card agreement. The credit card company wants to make sure you've signed it as a way to strengthen their case that you owe them money for items charged to the card. That's why the card says "Not valid unless signed" instead of "Merchant: Please verify the customer's signature matches this one."