| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> |
| Cc: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Paul Waring <paul(at)xk7(dot)net>, pgsql-www(at)postgresql(dot)org |
| Subject: | Re: Can we change auto-logout timing on wiki.postgresql.org? |
| Date: | 2013-04-27 14:09:14 |
| Message-ID: | 20130427140914.GA20361@momjian.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
> >
> > On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
> >
> >> interesting hint - thanks.
> >>
> >> I have now increased the relevant timeouts to 6h - lets see how that
> >> goes..
> >
> > FTR, I don't think we should autologout people or at least it should be
> > set to something like 7D.
>
> well from a security perspective it is usually advisable to keep session
> lifetimes as short as possible, I agree that the current setup was way
> to aggressive, but 6h already results in a 6-15x increase of what we had
> before. We can always adjust upwards if we people are really working 6h+
> on an article but lets see first if this change really fixes the issue
> berkus complained about.
This is a wiki, not a banking website. We need to use security that is
appropriate for what we are guarding. We could just prevent edits and
it would be even more secure. ;-)
I would like 7 days, myself.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2013-04-27 15:24:51 | Re: Can we change auto-logout timing on wiki.postgresql.org? |
| Previous Message | Stefan Kaltenbrunner | 2013-04-27 09:10:43 | Re: Can we change auto-logout timing on wiki.postgresql.org? |