On Tue, Jan 5, 2010 at 8:49 AM, Devin A.Brown wrote: > I work for a very well-known publishing / corporate site that > attracts a high number of C-level global visitors. Our Security IT > department has has asked us to change our login procedures to > auto-log out user after 30 minutes (like a bank) as opposed to never > auto-expiring a login authentication cookie.
I think the "right" answer here will depend on some more details about the site. Banks kick people off after 30 minutes because of the high exposure associated with a session sticking around after the person has left the computer: someone might steal their money. What operations (if any) are possible on your site that reach the importance of losing money? If you can come up with a list of those actions that cause so much concern to the Security IT folks then you can propose an alternative: require users to re-authenticate if it's been more than 30 minutes since they logged in and they are trying to do one of those operations. In this hybrid approach your users will still be able to easily access the articles you want them to read and yet the really important operations will be protected. Your users may even thank you for adding this security enhancement because it shows you care about their assets. If there aren't any really important operations that your visitors take on your site then this sounds like a typical corporate top-down mandate-for-mandate's-sake. And the best way I know to defeat those is to get an ally high in the company to see your side of the story who can fight against it ;) Regards, Greg -- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
