Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How long should you let a user stay signed in for on a web application?

Tags:

session

Background to question: We are building an online web application that requires the user to sign in. We will add the ability to "keep me signed in on this computer for x weeks."

Question:

What is the normal standard for how long you should allow a user to stay signed in for? * 2 weeks? * 4 weeks? * Forever?

And why? Is there a reason that we should not allow our users to stay signed in forever?

like image 970
Will Gill Avatar asked Jun 03 '09 14:06

Will Gill

People also ask

Should you stay logged into websites?

It's easier in the short term but it could put your security at risk. It's tempting to remain logged in to your favorite websites on your smartphone, tablet, or laptop. But if you're using a public computer or WiFi connection, that's bad idea.

What happens if you stay logged into a website?

When you visit most websites, it's common to see a box labeled Keep me logged in, Remember me, or similar next to the username and password fields. If you check this box before you sign in, you won't have to sign back into the website next time you return, even if you close your browser and come back later.

How long does keep me signed in last?

The Keep me logged in feature will download a cookie that allows you to access Questionmark from the same machine without needing to enter your username and password for up to 7 days between sessions.

1 Answers

I don't know if there is a standard, really. It all depends on your application and security concerns. You don't want just anybody to be able to sit down at your computer and grab your credit card number while you're still logged in.

But Stackoverflow, for example, doesn't have the highest security concern regarding logins and it shouldn't. It's a big convenience that I don't have to sign in here for every visit.

On the other hand, my job involves developing & supporting a large online insurance application. It's a little more important that I keep it secure as we gather a lot of personal information. Of course, we don't gather credit card or social security numbers and we certainly don't want the login to time out in the middle of an application. So we went with a compromise of a 12 hour timeout tied to a session. This means that closing the browser has the effect of automatically logging out, or if you let the browser sit on the site for 12 hours you're logged out that way too.

And then at the far end of the spectrum you have your online banking sites which typically sign you out after about 20 minutes. This makes perfect sense as I can't think of a worse case scenario than somebody stealing all of my money all because online banking kept me logged in too long.

like image 108
Steve Wortham Avatar answered Nov 03 '22 02:11

Steve Wortham
Sign in to Comment

Related questions

How does PHP detect that a session has timed out?
HTTPSession variable limit
Site security regex handler? (PHP) [closed]
Where to store user data after login with WebForms
Terminating spawn sessions in expect
Get Session in Spring AOP
Chamfer distance between two point clouds in tensorflow
Multiple php requests simultaneously, second request doesn't start until first finishes
Static Session Class and Multiple Users
How is HttpSession implemented?
GWT: Storing Session ID in cookie, and then what?
ASP.NET C# Session Variables Being Lost
What exactly is the PHP function session_module_name for?
PHP session expires immediately when client's clock is set in the future
Django session race condition?
Rails feature testing with logged in user (undefined method 'session')
Is there a maximum number of PHP sessions?
How to get session time out message using Spring security
Where is session store ? (ExpressJS)
Storing shopping cart in session

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!