Preserved Topic: Session Timers (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=21072" title="Pages that link to Preserved Topic: Session Timers (Page 1 of 1)" rel="nofollow" >Preserved Topic: Session Timers <span class="small">(Page 1 of 1)</span>\$

lg5350 Obsessive-Compulsive (I) Inmate From: USA Insane since: Mar 2003	posted 12-15-2003 16:37 As everyone knows (except one of my Federal clients), session timers are a good thing to use, from both a Security perspective, and a Server Management perspective. Problem is, my client wants a 60 minute session timer, which is completely unacceptable for the type of application it is. So, my question to you my fellow developers and designers is, can you find me any written evidence as to why session timers are a necessary evil, and why the shorter the better? I've looked on about 55 websites now, and none of them seem to have good reasons as to why. They just explain how, which I already know. Your help is very much appreciated. Thanks! __________________________________ "Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks [This message has been edited by lg5350 (edited 12-15-2003).]
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-15-2003 17:32 Well, I've a feeling you're pulling at the wrong end of the horse. First, Session timers itself are not good per se, they're necessary because things fail to sign of properly (due whatever reason, not limited to power failure, communication failure, user error). Now, to short a session timer can frustrate users to no end... I know my bank kicks me out every 5 minutes or so, making tabbed browsing with them a pain (I have to login all the time). Therefore, the developer has to strike a balance between assuming a client is no longer talking to us, and the user's just idleing (or working on something else) a bit. In a web enviroment, session spoofing or stealing is also often a concern, though this can be serverly limited with IP checking, if you're unafraid to lock out users using a certain kind of proxy. Now, sit down and think for a minute. Your client wants a 60 minute timeout. Why? And why shouldn't he get one? Is it dangerous? Does it put a terrible strain on the servers? Is it an inconvenience to you (in which case it's always good to know who pays the bills)? And why do you seem to be unable to convince him that such a long timeout is unacceptable? Why is in unacceptable in the first place? So long, Tyberius Prime
lg5350 Obsessive-Compulsive (I) Inmate From: USA Insane since: Mar 2003	posted 12-15-2003 20:58 Well, here's the long and short of it: I work for a US Federal agency, which I won't name. I'm a contractor who's been hired to help make some of their more sensitive applications Web Standards (Section 508) compliant. I'm no moron. I've been in the business for over 8 years now. The reason a 60 minute session timer is too much is because the application is used to enter, store, and display sensitive data, and a 20 minute session timer is standard issue for this type of application. Per Section 508 rules, it does of course warn the user if they've been inactive for 15 minutes, and gives them five minutes to hit the "refresh" button which we added to the application so they can keep it fresh if they are digging through paperwork for the correct data to enter. A 20 minute session timer isn't short. Not at all. But 60 minutes is ridiculus for the type of application. That's more than enough time for someone to walk away from their desk, forget to lock their workstation (as a lot of people around here do, which is a violation of the computer security policy), and let someone spend considerable time retrieving loads of sensitive data. So, the session timer here is a necessary evil. So, that's why a 60 minute session timer is unacceptable. The problem is, my staff agrees with me. The people who hold the contract agree with me. Everyone agrees with except a certain person at the top of the food chain who has ABSOLUTELY no idea what computer security is, and why it's necessary. Because of this, we can't move forward until he has been convinced, and he's flat-out said that, until he's got actual hard proof as to why a long session timer is a bad thing for this application, he won't let us continue forward. That's what happens when un-technical people are put in-charge of ultra-technical people. __________________________________ "Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-15-2003 21:57 still, I believe you have to convince him that the 60 minute time out is bad. Isn't there a regulation for this? Or maybe ask him what he'd rather have: a 15 minute limit, or someone suing the agency for having let their sensitive data out? Talking to him about the recent worm problems, mentioning that this was part of the cause of the power failures in the north east might enligthen him a bit about computer security. If he's as far up the food chain as you describe, what's his buissness micromanaging this anyhow? Worst case: You'll implement the 60 minutes timeout. Make sure to get a waiver from him. You don't want to be sucessfully sued for his inability to comprehend the problem. You might also want to impress him with power point slides, aka 'evil intruder' and so on ;-)
lg5350 Obsessive-Compulsive (I) Inmate From: USA Insane since: Mar 2003	posted 12-15-2003 22:29 I'm actually not sure how this got all the way up to him. He does review the applications that we push, but not until they are live, and his so-called review is more of a note from our Contract Officer saying, "Yeah, he said it's good." I think I should just try the Wookie Defense: "Ladies and Gentlemen, this is Chewbacca. Chewbacca is a Wookiee from the planet Kashyyyk who carried a gun and ran from the mob. But Chewbacca lives on the planet Endor. Now think about it. That does not make sense. Why would a Wookiee, an eight-foot-tall Wookiee, want to live on Endor with a bunch of two-foot-tall Ewoks. That does not make sense." If that doesn't throw him off, we're screwed. __________________________________ "Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks [This message has been edited by lg5350 (edited 12-15-2003).]

Preserved Topic: Session Timers (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=21072" title="Pages that link to Preserved Topic: Session Timers (Page 1 of 1)" rel="nofollow" >Preserved Topic: Session Timers <span class="small">(Page 1 of 1)</span>\$

lg5350
Obsessive-Compulsive (I) Inmate

From: USA
Insane since: Mar 2003

posted 12-15-2003 16:37

As everyone knows (except one of my Federal clients), session timers are a good thing to use, from both a Security perspective, and a Server Management perspective. Problem is, my client wants a 60 minute session timer, which is completely unacceptable for the type of application it is.

So, my question to you my fellow developers and designers is, can you find me any written evidence as to why session timers are a necessary evil, and why the shorter the better? I've looked on about 55 websites now, and none of them seem to have good reasons as to why. They just explain how, which I already know.

Your help is very much appreciated. Thanks!

__________________________________

"Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks

[This message has been edited by lg5350 (edited 12-15-2003).]

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-15-2003 17:32

Well, I've a feeling you're pulling at the wrong end of the horse.

First, Session timers itself are not good per se, they're necessary because things fail to sign of properly (due whatever reason, not limited to power failure, communication failure, user error).
Now, to short a session timer can frustrate users to no end... I know my bank kicks me out every 5 minutes or so, making tabbed browsing with them a pain (I have to login all the time).

Therefore, the developer has to strike a balance between assuming a client is no longer talking to us, and the user's just idleing (or working on something else) a bit.

In a web enviroment, session spoofing or stealing is also often a concern, though this can be serverly limited with IP checking, if you're unafraid to lock out users using a certain kind of proxy.

Now, sit down and think for a minute. Your client wants a 60 minute timeout. Why? And why shouldn't he get one? Is it dangerous? Does it put a terrible strain on the servers? Is it an inconvenience to you (in which case it's always good to know who pays the bills)? And why do you seem to be unable to convince him that such a long timeout is unacceptable? Why is in unacceptable in the first place?

So long,

Tyberius Prime

lg5350
Obsessive-Compulsive (I) Inmate

From: USA
Insane since: Mar 2003

posted 12-15-2003 20:58

Well, here's the long and short of it:

I work for a US Federal agency, which I won't name. I'm a contractor who's been hired to help make some of their more sensitive applications Web Standards (Section 508) compliant. I'm no moron. I've been in the business for over 8 years now.

The reason a 60 minute session timer is too much is because the application is used to enter, store, and display sensitive data, and a 20 minute session timer is standard issue for this type of application.

Per Section 508 rules, it does of course warn the user if they've been inactive for 15 minutes, and gives them five minutes to hit the "refresh" button which we added to the application so they can keep it fresh if they are digging through paperwork for the correct data to enter.

A 20 minute session timer isn't short. Not at all. But 60 minutes is ridiculus for the type of application. That's more than enough time for someone to walk away from their desk, forget to lock their workstation (as a lot of people around here do, which is a violation of the computer security policy), and let someone spend considerable time retrieving loads of sensitive data. So, the session timer here is a necessary evil.

So, that's why a 60 minute session timer is unacceptable.

The problem is, my staff agrees with me. The people who hold the contract agree with me. Everyone agrees with except a certain person at the top of the food chain who has ABSOLUTELY no idea what computer security is, and why it's necessary. Because of this, we can't move forward until he has been convinced, and he's flat-out said that, until he's got actual hard proof as to why a long session timer is a bad thing for this application, he won't let us continue forward.

That's what happens when un-technical people are put in-charge of ultra-technical people.

__________________________________
"Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-15-2003 21:57

still, I believe you have to convince him that the 60 minute time out is bad.

Isn't there a regulation for this? Or maybe ask him what he'd rather have: a 15 minute limit, or someone suing the agency for having let their sensitive data out?
Talking to him about the recent worm problems, mentioning that this was part of the cause of the power failures in the north east might enligthen him a bit about computer security.
If he's as far up the food chain as you describe, what's his buissness micromanaging this anyhow?

Worst case: You'll implement the 60 minutes timeout. Make sure to get a waiver *from him*. You don't want to be sucessfully sued for his inability to comprehend the problem.

You might also want to impress him with power point slides, aka 'evil intruder' and so on ;-)

lg5350
Obsessive-Compulsive (I) Inmate

From: USA
Insane since: Mar 2003

posted 12-15-2003 22:29

I'm actually not sure how this got all the way up to him. He does review the applications that we push, but not until they are live, and his so-called review is more of a note from our Contract Officer saying, "Yeah, he said it's good."

I think I should just try the Wookie Defense:

"Ladies and Gentlemen, this is Chewbacca. Chewbacca is a Wookiee from the planet Kashyyyk who carried a gun and ran from the mob. But Chewbacca lives on the planet Endor. Now think about it. That does not make sense. Why would a Wookiee, an eight-foot-tall Wookiee, want to live on Endor with a bunch of two-foot-tall Ewoks. That does not make sense."

If that doesn't throw him off, we're screwed.

__________________________________
"Tragedy is when I cut my finger. Comedy is when you fall into a sewer hole and die." - Mel Brooks

[This message has been edited by lg5350 (edited 12-15-2003).]