23 September 2008

What Should the Session Time Out Period Be?

An important setting in any web application is how long to allow a user to remain logged in, before timing out automatically, after a period of inactivity.

Long periods (greater than an hour) are not usually recommended, although some web sites like Amazon and Facebook do this to improve "user experience" (and reduce protection).

Session time outs are a protection mechanism for users who leave their computer unattended, or who walk away from a shared computer without logging out of an application. After the time out period, the user has to log in again. This is somewhat like a password-protected screen saver which starts after a number of minutes of inactivity on a computer.

But what session time out should be used? The Open Web Application Security Project's Development Guide suggests:

5 minutes for highly protected applications through to no more than 20 minutes for low risk applications

20 minutes is a good starting point, but a longer period may be advised where users have long forms to complete or have large amounts of text to read or write. In these cases, it may be worth considering mechanisms to extend the time out for particular pages, and provide a warning to the user of the approaching time out. The types of users and their web experience are also factors in this. Generally 20 minutes should be seen as a maximum, and anything greater than this needs to be assessed carefully. If you can, try 10 or 15 minutes.

It may be appropriate to let the user choose their own time out (within limits), so if they perhaps log in from their own personal computer at home the period is longer, but from a public computer (for example in a library or cafe) or via a shared connection on an untrusted network (for example WiFi on public transport), the period is shorter.

If you have longer session time outs, be aware of the additional risks and make sure you ask users to re-authenticate when more-sensitive requests are made (e.g. changing account details). Amazon does this by asking you to log in again when going to the check out and payment.

Of course, how you time someone out, how you terminate the session and what they see are also important.

Posted on: 23 September 2008 at 06:32 hrs

Comments Comments (0) | Permalink | Send Send

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
What Should the Session Time Out Period Be?
http://www.clerkendweller.com/2008/9/23/What-Should-the-Session-Time-Out-Period-Be
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2008/9/23/What-Should-the-Session-Time-Out-Period-Be
Requested by 38.107.191.115 on Wednesday, 10 March 2010 at 15:33 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2010 clerkendweller.com