Alan Burlison wrote: > Brian Utterback wrote: >> What kind of evidence would be sufficient for you? Do you need >> medical records showing muscle damage from logging in so many times >> in a week? You are stating an opinion about what is reasonable, >> others have disagreed. You are unconvinced and apparently plan to go >> ahead with the change despite the opposition. Others have then gotten >> miffed that you are ignoring their opinions and you have gotten >> miffed that they are miffed at you. Great progress there. > > That's incorrect, I have listened to the feedback I've been given. > Dan and others quite reasonably pointed out that the initial proposal > was too draconian as it would mean people logging in multiple times > during a working day. Asking people to log in once on the days when > they want to edit pages on the site doesn't seem unreasonable - or are > you really asserting that logging in once a day is a risk to people's > health?
You're back to "doesn't seem unreasonable", which is your opinion. You have been given contrary opinions here. The problem here is that you are ignoring the basics of change management. The current expiration is infinite. Your proposal is daily. That is a huge difference. It doesn't matter to me particularly, but it seems to me that you have rejected out of hand some reasonable proposals, without any real explanation of the issues at hand. I am not at all sure what the reason for the change really is. The only explanation I recall amounted to three words: Security - Source Code. > >> Turn this around. Several people have stated that a longer session >> timeout is not unreasonable and you have not offered firm evidence to >> the contrary. > > I've already explained that I'm balancing security against usability. > I've spoken to the Sun security people, and followed their lead in > adopting an 8 hour inactivity logout. Actually, I'm being a little > more lenient then them as they have a mandatory logout after 24 hours. > Following their lead is an entirely reasonable and diligent approach, > and that's what I am doing. Sure, they went to 8 hours once it became apparent that the shorter timeout was reducing the security rather than enhancing it, after months of complaints by the users that actually stopped using Sun Solve because the additional pain didn't have any effect at all. Do you really want to see the same thing happen to OS.o? Look, it doesn't matter at all to me. Once a day login is fine with me. But once a week would be better. I am just tired of nebulous claims of "security!" making our lives miserable for no discernible reason. Sun Solve was rendered almost too painful to use, IBIS was initially unusable for the same reason. The blogs.sun.com conversion still has people complaining daily about the changes, and I know for a fact that several users abandoned it over these issues. You are missing the basic change management step of "buy in" here. Brian Utterback _______________________________________________ website-discuss mailing list [email protected]
