[Sigia-l] time-out session lengths, security, and user tasks

[karl fast]

> Karl, while you address the needs for a specific situation, a bank, and
> successfully answer the main question, that
> 
> a) doesn't answer the question in all instances

Yes, though I believe you asked about secure sessions specifically.
Can you give me a situation for a secure connection where this would
not apply? 

> b) provides little guidance for any notion of "why 20 minutes".

How can I? Obviously 45 days is as unreasonable as 10 seconds. But
there is no formulua for this. You have to make some sort of
estimate about what's reasonable. Twenty minutes seems reasonable to
me for many applications, but I have no evidence to back this up. On
an intranet you might make it more. A bank might make it less (my
bank has a ten minute timeout). 

I don't think anyone can give you a formula to give this a number.

> As someone who has shopped on sites where Broadvision is used, and
> thus lost shopping carts after having been dormant for 20 minutes,
> I think my question is fair.

AHHH!!! Now this is different. A shopping cart is not secured and
shouldn't be set at twenty minutes.

The *checkout* process is secured and it can be setup to have a
separate timeout value. A short timeout on the checkout is probably
rooted in assuming that once you decide to buy, ie: to start the
checkout process, you are either going to complete the transaction
or cancel the whole thing (I dunno if this is a valid assumption).

So is your complaint about short timeouts on the shopping cart, or
the secured checkout process? Or both?

> The degree which people will roll over for issues of security or
> CPU time distresses me.

Sure. Now to defend the IT people, I'll toss out that the degree to
which people don't understand basic technical or security issues
distresses me.

We have so few people who speak both geek and usability, IA,
interaction design, etc.


--karl