A couple weeks ago Lucas Gonze wrote a cool post about passwordless login because he was ticked off that Facebook constantly made him log in. He then highlighted part of my response:

Why do sites force frequent logins anyway?

As of the last day or so Facebook now allows the following (only if you’ve already logged in before from the computer you’re now using, a nice protection against doing this on a public computer):

This is a nice improvement, though there’s almost no chance it was stimulated by Gonze’s or my posts, both because it’s an obvious idea and neither of us has huge readership, and because Facebook got it wrong.

First, a minor nit about the language used — you will stay logged into Facebook on this computer — one can read megalomania into those missing words if one wants (I don’t).

Second, “until you click logout” is may not be true. It looks like Facebook login cookies expire after a month, which gets to the second part of my observation:

The real mystery is sites that do not force login every session (presumably this reduces problem of people forgetting to log out of public terminals), but something longer than a session and shorter than many years. What problem is that addressing?

It is possible that Facebook occasionally refreshes the cookies before they expire, such that “until you click logout” is true so long as you keep visiting Facebook at least once a month. Let’s pretend that it is true. What would be the point of the added complexity? Perhaps it addresses the problem of sale or other transfer of an old computer and forgetting to wipe privacy data first. But it also makes it a pain to visit Facebook less than monthly, which is surely what I want to do at some point (based on what I do with a bunch of now-passé social networks).