[Sigia-l] time-out session lengths, security, and user tasks

[Listera]

"Christy Mylks" wrote:

> Are there any actual standards (official or conventional) for how long you
> can let your users remain "inactive" on a secure site before it times out
> on them?

Short answer: no.

Longer: If you're connected via HTTP (normal for a web browser) you are, in
a manner of speaking, always "timed out" or "inactive" as the HTTP is
stateless. 

Normally, the server doesn't know you from Adam as soon as the page your
browser requested is sent. There are several ways of keeping track of who's
"connected" to the server at any given time, by creating a "session." The
first time the user connects, a unique ID is created with a time stamp to
start the session. The session info can then be stored in a cookie (user
side) or in a table or in memory at the server. So every time the user
requests another page, the session ID is referenced and appropriate action
is taken.

Now there's no technical reason why this "session" cannot be maintained
indefinitely, even on a secure site. However, for reasons of security,
workflow, mandated expiration, marketing, tracking, server workflow, etc.,
the session is often expired after an 'appropriate' period, usually to be
re-started at the next login.

There's utterly and absolutely no "industry standard" for how long a session
should be kept alive. There are many technical and non-technical reasons as
to why one number may be better than another.

Best,

Ziya