On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
> >
> > On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
> >
> >> interesting hint - thanks.
> >>
> >> I have now increased the relevant timeouts to 6h - lets see how that
> >> goes..
> >
> > FTR, I don't think we should autologout people or at least it should be
> > set to something like 7D.
>
> well from a security perspective it is usually advisable to keep session
> lifetimes as short as possible, I agree that the current setup was way
> to aggressive, but 6h already results in a 6-15x increase of what we had
> before. We can always adjust upwards if we people are really working 6h+
> on an article but lets see first if this change really fixes the issue
> berkus complained about.
This is a wiki, not a banking website. We need to use security that is
appropriate for what we are guarding. We could just prevent edits and
it would be even more secure. ;-)
I would like 7 days, myself.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +