[OpenID] rfc2817: https vs http

SitG Admin sysadmin at shadowsinthegarden.com
Tue Sep 2 06:08:03 UTC 2008 

>>  You can use a custom session handler (not too difficult - databases work for
>>  this) to set your own duration.
>
>I repeat: not if the client drops the session after five minutes.

I'm not subscribed to the cryptography list, I think I missed the 
first time you said that the *client* would be dropping the session 
after five minutes. I'm curious as to why the client would do this 
when you explicitly set the expiry date to further than 5 minutes 
into the future, too - is that to do with the client certs?

I was thinking of having to work around a server that forgets 
sessions more than 5 minutes old, that's why the database. If the 
*client* forgets, remembering things server-side any longer *would* 
be kinda pointless, then, yeah.

>True, but entirely unrelated to SSL session duration.

True, but since I've wasted several months overall on coming up with 
various ways to improve my web security before, just recently, 
realizing that it's much more efficient to simply educate users about 
using the appropriate passwords to indicate their desired level of 
access, I'm a bit strong right now on the "Let's outsource enough 
security to the users that we don't have to drive ourselves nuts on 
convenience." front.

Though, to be fair, I don't (currently) have to worry about users 
that don't know anything and won't learn - all of mine^1 are so 
security-conscious already that I'm confident in their willingness to 
use one password for "I'm at a public terminal or worried about 
interception, give me limited access for a short time so I don't need 
to worry about anything." and another password for "I'm at a secure 
facility, give me full access and whatever security won't compromise 
convenience since I probably won't need it."

It's different for most use-cases, so I'll withhold further 
objections along these lines. I'm too used to not having to sacrifice 
security for convenience to really be qualified on advising those who 
may not enjoy such freedoms.

-Shade, burning tin

^1) In fact, most of them *exceed* my own standards, to such a degree 
that some of them won't even try to log in. I haven't bothered 
setting up accounts for several, because I expect that they won't try 
to deal with me through the site - convincing all these people that 
the *internet* is safe is one of the most conflicted, complicated, 
*vexing* tasks I face :)

More information about the general mailing list