This repository has been archived by the owner on Sep 16, 2022. It is now read-only.
Set inactivity session expiration to 10min #336
Labels
security
Security related issues
Comments
|
@mlehmann3 this is a traditional security vs usability issue. You're right, having a 10 minute session expiration does make sense from a security perspective, but it makes it very inconvenient for end-users (in particular if 2FA is added). |
|
@vpetersson It is, yes. It is ok to extend the session timeout to whatever you feel is ok usability-wise (as long as it's not weeks;)). The important thing is to have a session timeout at all, it can be an hour or even more if you feel you should not make it less for reasons of convenience. I would not recommend to go over a day, though. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently, a user does not get logged out of a session. This is a risk, because this gives an attacker more time to steal a session token or, if physical access to a user's pc is possible, the possibility to misuse the session if the user does not lock his/her computer.
Therefore, an inactivity session expiration needs to be set. A reasonable tradeoff between security and usability seems to be 10min.
The text was updated successfully, but these errors were encountered: