Re: Can we change auto-logout timing on wiki.postgresql.org?

On 04/27/2013 05:24 PM, Magnus Hagander wrote:
> On Sat, Apr 27, 2013 at 4:09 PM, Bruce Momjian <bruce@momjian.us> wrote:
>> On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
>>> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
>>>>
>>>> On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
>>>>
>>>>> interesting hint - thanks.
>>>>>
>>>>> I have now increased the relevant timeouts to 6h - lets see how that
>>>>> goes..
>>>>
>>>> FTR, I don't think we should autologout people or at least it should be
>>>> set to something like 7D.
>>>
>>> well from a security perspective it is usually advisable to keep session
>>> lifetimes as short as possible, I agree that the current setup was way
>>> to aggressive, but 6h already results in a 6-15x increase of what we had
>>> before. We can always adjust upwards if we people are really working 6h+
>>> on an article but lets see first if this change really fixes the issue
>>> berkus complained about.
>>
>> This is a wiki, not a banking website.  We need to use security that is
>> appropriate for what we are guarding.  We could just prevent edits and
>> it would be even more secure.  ;-)
>>
>> I would like 7 days, myself.
> 
> Note that this is not 7 days since you logged in. It's 7 days since
> you last did something. And as long as you don't stop working, you
> never get logged out ;)

and from looking at the average time between changes and the overall
changerate of any given site I don't really see how people people will
realistically hit the 6h limit. Anyhow if somebody wants to change this
to a larger limit I wont object, but 7 days seems mighty excessive...


Stefan