[Sigia-l] time-out session lengths, security, and user tasks

karl fast karl.fast at pobox.com
Mon Nov 11 20:56:19 EST 2002 

> > In most secure situations, 20 to 30 minutes seems to be the accepted
> standard.
> 
> But I think the main question is, "Why?"

There is a damn good reason for this.

I'm a bank. Customers connect to my online banking service through
their web browser. It's a secure service. They log on and pay some
bills. Then they go to Google and search for an apple pie recipe,
then read some news at CNN.com, then go have dinner or take a coffee
break, and come back to the machine a few hours later.

They DID NOT click the little "logout" button in my online banking
service. This means that to me, the bank web server, I think they're
still logged in. This is a BIG PROBLEM.

I have two choices:

 1. I can keep them logged in until they come back and click the
    logout button (not bloody likely--they've probably forgetten
    they were even connected to me).

 2. I can kill the connection after a "reasonable" amount of time.
    What's "reasonable" is up to me, the web server. I have to
    balance usability with technical issues (I can't keep all these
    connections open forever since it takes too many system
    resources) and security issues (I don't want to let someone else
    walk up to the machine, check the history file, and find out
    they access someone else's bank account).

> In my ideal world, there would be no session timeouts. Can you ask
> the security folks to give a good reason for a session timeout?

In my ideal world people would log out of secure applications before
going on to other tasks. This is not just about security.

In the old client-server model this was a non issue. If you wanted
to do some secure banking you ran the secure bank program. When you
were done you closed that program. You *only* used the secure bank
program for secure banking.

In the Web world we overload the client. The browser can be used for
a bazillion different applications. But now we've got issues with
people logging in and out of applications.

Does that make sense?

This is not done to piss users off. Nor is not done by programmers
who don't understand usability issues. And it's not just a security
issue either.


--karl

More information about the Sigia-l mailing list