InfoSec policyfilter: Web app session timeouts
January 9, 2023 12:25 PM   Subscribe

Our InfoSec team enforces short (30 minute) SSO session timeouts on some web apps that are available over the internet. This has caused some discontent, as people can't leave browser tabs up with useful info. We also don't log people out of other apps (Outlook, for example) that quickly. Is this a good balance between security and usability or not?
posted by caviar2d2 to Computers & Internet (7 answers total) 1 user marked this as a favorite
 
Best answer: I think this is very hard to answer without knowing the threat model and just how big the hit to usability is. But if it's inconvenient enough that lots of people are complaining about it, it's worth looking at what exactly the risk is.

Also note that short timeouts may lead to users downloading the information they need to their local machines, which can be its own security risk, or even using plugins to keep the the background tab "live."
posted by mskyle at 12:37 PM on January 9, 2023 [3 favorites]


Best answer: There's no hard limit nor any discussion on what should be a good number that I recall. As @mskyle said, it's all dependent on the threat modeling and the infosec being arrayed against it. In fact, I think it's more of a license number compliance thing than an infosec thing.

Personally, the solution to this is often called a "mouse jiggler". It just jiggles the mouse / keyboard every X minutes, thus canceling any timeout actions.
posted by kschang at 12:46 PM on January 9, 2023


Most of the internal corporate sites my company uses have timeouts far shorter than 30 minutes, so I'd say it's pretty fair for public facing ones.
posted by The_Vegetables at 1:55 PM on January 9, 2023


Best answer: Thirty minutes would be considered over-generous to some of the clients I work with. I'm used to dealing with InfoSec people from the banking and finance sectors, and often they'll want sessions to expire after 5 or 10 minutes maximum.

Having said that, if your OS is already set up to go to a lock screen after 5 or 10 minutes, then there may not be any extra benefit in messing with session timeouts.
posted by pipeski at 1:56 PM on January 9, 2023


It's not really comparable to email, because sharing protected information via email is definitely a violation. Is it at your company?

We do have secure email, with explicit login required, for sharing sensitive documents. That also logs out after less than 30 minutes.
posted by The_Vegetables at 1:57 PM on January 9, 2023


One poster has already mentioned the risk presented by users downloading the information.

Such a feature is also going to possibly result in people taking smartphone pics of their screens - another risk!
posted by jacobean at 2:33 PM on January 9, 2023


Session timeouts can be calculated in a few different ways:

- You login, 30 minutes pass and then, no-matter what, you are logged out and lose all unsaved data.
- You login, every time you type something, the 30 min countdown is reset and starts counting down again.
- You login, every time you move the mouse, the 30 min countdown is reset and starts counting down again.
- Some combination of the above. In many systems there will be a disconnect after 15-60 minutes of inactivity and also a hard disconnect after a few hours.

The cost of lost/unsaved data in these situations is often underestimated because it never gets measured.
posted by Lanark at 2:59 PM on January 9, 2023


« Older Have you tried Lume? Do you like it?   |   MP3 Player for Audiobooks Newer »
This thread is closed to new comments.


Tags

Share