[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Time Parameter For Expiration of the Session
- From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Time Parameter For Expiration of the Session
- Date: Fri, 25 Aug 2006 14:38:03 -0400
On 8/25/06, Bergel B, Gabriel <Gabriel.Bergel@xxxxxxxxxxxx> wrote:
I am updating the standard applications for Web-sites in my company, and I
would like to establish the time parameter for expiration of the session.
Could you tell what is the standard time period recommended for a website
that is not used for money transferences, but through which you have access
to confidential information.
There isn't one. This is entirely a matter of how paranoid you are
about your data versus how much you are willing to annoy your users.
Short timeouts are safe, but irritate users because they are
constantly being asked to log in. Long timeouts are convenient, but
less safe.
A fairly typical compromise is to have two timeouts. One timeout
applies to sessions that are not being used. For example, if a
session is unused for 10 minutes, you might expire the session on the
assumption that the user went to another web site or walked away from
their computer. The other timeout applies even if the session is in
use.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|