Alan Burlison wrote: > Somewhere between one and four hours seems like a reasonable time for > the inactivity logout,
What are the statistics on the cookie stealing incidents we are experiencing? What was their explicit impact? Their potential impact? (i.e., is this a theoretical or real problem?) > re-supply their passwords when doing any > security-critical operations such as registering a new SSH key or > changing their password Yahoo & google force password entry at other points as well - effectively, if it has been "too long" since you reauth'd, any "change my info" operation triggers one - where too long is (IIRC) between several hours and 2 weeks. I don't expect most people will be doing activities on the site as often as you presume (between one and four hours) - while *some* people live on os.o, I would guess that the vast majority revisit on a daily or weekly (or longer) basis. [this would be a good place for some real data] (I get my os.o email in Thunderbird or via GMail, I do most of my interactions with genunix's wiki and hg; I hit up OS.o with my browser only infrequently, daily to a couple of times a week. I'd be pretty turned off if I was forced to relogin every one of those times.) II predict that an inactivity logout of less than a week or so would be a huge dissatisfier for the majority of casual OS.o users. > although this will of course be configurable. As long as it can be set to things like "2 weeks", "1 month" or even "never"... -John _______________________________________________ website-discuss mailing list [email protected]
