When logged into a web application, the session does not remain valid forever. Typically, the session expires after a fixed time after login, or after the user has been idle for some time. How long should these times be?
  • @towerful
    11 year ago

    Tbh, for typical consumers I think 2-4 hours is fine.
    Chances are, if the user cares, they will reuse a session in that timeframe. Otherwise, they log in again.
    Any good password manager will clear the clipboard after 10s or so!

    Anything that is critical should use a physical key. Is it YubiKey that do this? (I’m sure it’s becoming a web standard).
    If the YuniKey needs more? Add a biometrics reader on it. Or a password decrypt.
    Have multiple identities or are worried about privacy? Have a key that can provide multiple identies, along with the infra to support this.

    Even if we make passwords absolutely tied to a physical sack of meat… There is still social engineering that can use the user to bypass all that!