blurts-server icon indicating copy to clipboard operation
blurts-server copied to clipboard

Published 20 hours ago verified publisher icon mozilla

Extend timer for sign-out in a given web session

Open changecourse opened this issue 6 years ago • 7 comments

Current Currently our time until sign-out is ~15 minutes for inactivity within Monitor.

Proposed Change the timeout to 48 hours.

Additional Context Our current timeout is problematic for a couple of key reasons:

  1. Our upcoming featureset for #1224 means that people will be presented with a set of actionable recommendations for resolving a breach. This will occur in different tabs/windows, and I'd hate to log someone out of Monitor while they're in the process of resolving a breach.

  2. Anecdotally, people aren't seeing (or remembering) the 'new' tags associated with breaches since their last visit. This is, in part, because the act of logging in (and then automatically getting logged out) clears the tag.

I'd like some thoughts from @groovecoder & @sandysage around the potential for us to drastically increase the timer... a couple of options worth considering:

  • maintaining a logged in state until a browser session is closed?
  • maintaining a logged in state for one week?

Whatever we can do to ensure that someone isn't interrupted or frustrated by this timeout, while still feeling good about protecting their info.

changecourse avatar Nov 06 '19 17:11 changecourse

We previously limited the window of time to ~15 minutes for inactivity within Monitor due to the nature of the product: a signed in user sees their personal data breaches, including sensitive breaches, on their dashboard. We opted to err on the side of caution with the consideration of public-use computers.

That said, this is a very reasonable use case for where we'd want to extend that log out window of time. I'd be interested to gather from @groovecoder what our options are.

sandysage avatar Nov 06 '19 17:11 sandysage

We previously limited the window of time to ~15 minutes for inactivity within Monitor due to the nature of the product: a signed in user sees their personal data breaches, including sensitive breaches, on their dashboard.

Yeah, accounts containing sensitive breaches the one use case for more discretion... otherwise everything else is effectively public knowledge, and doesn't need the level of security we're applying to it.

changecourse avatar Nov 06 '19 18:11 changecourse

There's not really a technical limit here. We can make it anything up to the max age of a cookie, for which I can't even find a limit?

groovecoder avatar Nov 07 '19 23:11 groovecoder

Do you have a recommendation to throw into the mix, @groovecoder, either from my bullet points above, or an alternate?

changecourse avatar Nov 07 '19 23:11 changecourse

Let's plan to measure how long it takes people, on average, to resolve a breach and then circle back to this issue in the future.

sandysage avatar Nov 26 '19 16:11 sandysage

@sandysage I think in the short term, we should adjust this timer to 24-48 hours... and then reopen an issue if we need to adjust it again.

Rationale for changing from 15min to 24-48hours?

Ensuring we don't annoy someone as they potentially load up and authenticate into Monitor, and allowing them a reasonable amount of time to address things

changecourse avatar Dec 09 '19 17:12 changecourse

Can I please work on this issue?

Shivansh2407 avatar Jan 20 '20 15:01 Shivansh2407

Closing since we've redesigned the site and functionality since this was created. If you feel that this is still needed, please let me know.

EMMLynch avatar Mar 06 '24 21:03 EMMLynch