What is normal login cookie duration?

I would like to revisit this question, as nobody answered it on the “old forum” (which claims that it’s deprecated now). It’s annoying to stay logged in across browser restarts for several WEEKS, and then one day simply be blown out of the water and have to log in again. What is the standard “remember me” duration supposed to be, and which cookie(s) need to still be present??


I mean you could just look at the _osm_session cookie in your browser - it is a client side artifact after all.

The answer you would find is that it’s valid for 28 days, and it does get updated whenever you interact with the site.

The real problem is that how long the cookie lasts is only one part of the equation - the other part is how long the session record on the server lasts because if that expires then the cookie becomes meaningless.

I imagine you’re asking this because you got logged out yesterday and the reason that happened is that we were subject to a DOS attack which caused a lot of sessions to be created which in turn caused the session store to overflow and evict older sessions.


Ah, that explains yesterday, then. Thanks. Why DOSers would want to come after something as useful as Open Streetmap is perplexing…

I seem to be in and out of the main site enough that the session cookie seems to get auto-refreshed on its own, but I’ll keep an eye on expiry times.


Typical motivation of such criminals is extortion, usefulness is not really what matters here. There were also cases of hospitals being victims of DDoS and ransomware and similar attacks.

1 Like