Background to question: We are building an online web application that requires the user to sign in. We will add the ability to "keep me signed in on this computer for x weeks."
Question:
What is the normal standard for how long you should allow a user to stay signed in for? * 2 weeks? * 4 weeks? * Forever?
And why? Is there a reason that we should not allow our users to stay signed in forever?
It's easier in the short term but it could put your security at risk. It's tempting to remain logged in to your favorite websites on your smartphone, tablet, or laptop. But if you're using a public computer or WiFi connection, that's bad idea.
When you visit most websites, it's common to see a box labeled Keep me logged in, Remember me, or similar next to the username and password fields. If you check this box before you sign in, you won't have to sign back into the website next time you return, even if you close your browser and come back later.
The Keep me logged in feature will download a cookie that allows you to access Questionmark from the same machine without needing to enter your username and password for up to 7 days between sessions.
I don't know if there is a standard, really. It all depends on your application and security concerns. You don't want just anybody to be able to sit down at your computer and grab your credit card number while you're still logged in.
But Stackoverflow, for example, doesn't have the highest security concern regarding logins and it shouldn't. It's a big convenience that I don't have to sign in here for every visit.
On the other hand, my job involves developing & supporting a large online insurance application. It's a little more important that I keep it secure as we gather a lot of personal information. Of course, we don't gather credit card or social security numbers and we certainly don't want the login to time out in the middle of an application. So we went with a compromise of a 12 hour timeout tied to a session. This means that closing the browser has the effect of automatically logging out, or if you let the browser sit on the site for 12 hours you're logged out that way too.
And then at the far end of the spectrum you have your online banking sites which typically sign you out after about 20 minutes. This makes perfect sense as I can't think of a worse case scenario than somebody stealing all of my money all because online banking kept me logged in too long.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With