InfoSec policyfilter: Web app session timeouts
January 9, 2023 12:25 PM Subscribe
Our InfoSec team enforces short (30 minute) SSO session timeouts on some web apps that are available over the internet. This has caused some discontent, as people can't leave browser tabs up with useful info. We also don't log people out of other apps (Outlook, for example) that quickly. Is this a good balance between security and usability or not?
Best answer: There's no hard limit nor any discussion on what should be a good number that I recall. As @mskyle said, it's all dependent on the threat modeling and the infosec being arrayed against it. In fact, I think it's more of a license number compliance thing than an infosec thing.
Personally, the solution to this is often called a "mouse jiggler". It just jiggles the mouse / keyboard every X minutes, thus canceling any timeout actions.
posted by kschang at 12:46 PM on January 9, 2023
Personally, the solution to this is often called a "mouse jiggler". It just jiggles the mouse / keyboard every X minutes, thus canceling any timeout actions.
posted by kschang at 12:46 PM on January 9, 2023
Most of the internal corporate sites my company uses have timeouts far shorter than 30 minutes, so I'd say it's pretty fair for public facing ones.
posted by The_Vegetables at 1:55 PM on January 9, 2023
posted by The_Vegetables at 1:55 PM on January 9, 2023
Best answer: Thirty minutes would be considered over-generous to some of the clients I work with. I'm used to dealing with InfoSec people from the banking and finance sectors, and often they'll want sessions to expire after 5 or 10 minutes maximum.
Having said that, if your OS is already set up to go to a lock screen after 5 or 10 minutes, then there may not be any extra benefit in messing with session timeouts.
posted by pipeski at 1:56 PM on January 9, 2023
Having said that, if your OS is already set up to go to a lock screen after 5 or 10 minutes, then there may not be any extra benefit in messing with session timeouts.
posted by pipeski at 1:56 PM on January 9, 2023
It's not really comparable to email, because sharing protected information via email is definitely a violation. Is it at your company?
We do have secure email, with explicit login required, for sharing sensitive documents. That also logs out after less than 30 minutes.
posted by The_Vegetables at 1:57 PM on January 9, 2023
We do have secure email, with explicit login required, for sharing sensitive documents. That also logs out after less than 30 minutes.
posted by The_Vegetables at 1:57 PM on January 9, 2023
One poster has already mentioned the risk presented by users downloading the information.
Such a feature is also going to possibly result in people taking smartphone pics of their screens - another risk!
posted by jacobean at 2:33 PM on January 9, 2023
Such a feature is also going to possibly result in people taking smartphone pics of their screens - another risk!
posted by jacobean at 2:33 PM on January 9, 2023
Session timeouts can be calculated in a few different ways:
- You login, 30 minutes pass and then, no-matter what, you are logged out and lose all unsaved data.
- You login, every time you type something, the 30 min countdown is reset and starts counting down again.
- You login, every time you move the mouse, the 30 min countdown is reset and starts counting down again.
- Some combination of the above. In many systems there will be a disconnect after 15-60 minutes of inactivity and also a hard disconnect after a few hours.
The cost of lost/unsaved data in these situations is often underestimated because it never gets measured.
posted by Lanark at 2:59 PM on January 9, 2023
- You login, 30 minutes pass and then, no-matter what, you are logged out and lose all unsaved data.
- You login, every time you type something, the 30 min countdown is reset and starts counting down again.
- You login, every time you move the mouse, the 30 min countdown is reset and starts counting down again.
- Some combination of the above. In many systems there will be a disconnect after 15-60 minutes of inactivity and also a hard disconnect after a few hours.
The cost of lost/unsaved data in these situations is often underestimated because it never gets measured.
posted by Lanark at 2:59 PM on January 9, 2023
This thread is closed to new comments.
Also note that short timeouts may lead to users downloading the information they need to their local machines, which can be its own security risk, or even using plugins to keep the the background tab "live."
posted by mskyle at 12:37 PM on January 9, 2023 [3 favorites]