[OpenID] rfc2817: https vs http
Ben Laurie
benl at google.com
Tue Sep 2 02:50:04 UTC 2008
On Tue, Sep 2, 2008 at 2:01 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> typically last on the order of five minutes, an insanely conservative
>> figure.
>>
>> What we need is something like HTTPS, shareable across protocols, with
>> caches that last at least hours, maybe days.
>
> You can use a custom session handler (not too difficult - databases work for
> this) to set your own duration.
I repeat: not if the client drops the session after five minutes.
> But the issue here isn't convenience, it's
> security. No matter how impeccable the cryptography end is, it can't detect
> when a thief has broken into the user's home and is logging into their
> sessions. Who logs out when they don't need to? Or when a temporary network
> outage prevents someone (let's call her Alice) at a public terminal from
> logging out (because it's the remote server that registers this), and that
> person doesn't know how to delete cookies (or doesn't have the permissions
> on that system to do so), but has to leave before the network comes back up,
> and the next person (let's call him Bob) to visit that site will be prepared
> to log into Bob's account, but instead will find that the site recognizes
> their computer and says "Hello, Alice. Welcome . . . "
True, but entirely unrelated to SSL session duration.
More information about the general
mailing list