[Sigia-l] time-out session lengths, security, and user tasks
Peter Merholz
peterme at peterme.com
Mon Nov 11 18:23:38 EST 2002
> In most secure situations, 20 to 30 minutes seems to be the accepted
standard.
But I think the main question is, "Why?"
I hate session time-outs, for all the good reasons Christy refers to. There
are numerous reasons why sessions will become interrupted.
In my ideal world, there would be no session timeouts. Can you ask the
security folks to give a good reason for a session timeout? And, if so, can
you then ask them to point to why 20 or 30 minutes?
Overbearing security practices are a HUGE detriment to quality user
experiences. (8-character passwords that require a seemingly random
collection of letters, numbers, and punctuation, anyone?) And are rarely
justified. Lazy engineers, who seem to accept these practices, foist them
upon the rest of us, forcing us to develop workarounds (writing down
passwords, having password files on our machines) that end up making our
systems LESS secure. (But that's another issue).
If nothing else, if you have to have a session timeout, you should save the
user's information, so that they can log in and recover everything.
--peter
More information about the Sigia-l
mailing list