Ping server instead of timeout in playground

[JCCChris]

trafficstars

Instead of timing out the session and displaying a message, the playground could ping the server every hour(?) in order to keep the session alive.

[michaelhofrichter]

Could this be a configuration setting? I tend to forget old tabs and wouldn't want one keeping open the session just because I forgot about it.

[jhpyle]

The expiration of the CSRF code is a security feature, so I don't want to undermine a security feature. If anything, I think I should be doing more to forcibly log people out after inactivity, particularly if they are Playground users.

[JCCChris]

I would like to understand how keeping a session open undermines security. This was essentially what my question was about prior to making this issue.

I understand that if the user leaves their terminal unlocked, someone could be entering code into the development system. I feel some security issues that are up to the developer to look after. And, leaving your terminal unlocked can lead to all kinds of security issues whether DA logs out the user or not.

[jhpyle]

My understanding is that an exploit might entail obtaining a user's CSRF code and then waiting until the user is no longer active and then using the code to gain access to the system while the user isn't paying attention. The expiration of the CSRF code reduces the likelihood of such exploits being successful.

[JCCChris]

It seems like if it was configurable and defaulted to safety, the risks could be assessed by the developer per environment.