Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21585=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UW5oe-00089X-9V
	for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 14:09:28 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21585=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UW5oc-0002yi-4A
	for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 14:09:26 +0000
Received: from makus.postgresql.org ([2001:4800:7903:4::125])
	by malur.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <bruce@momjian.us>) id 1UW5oa-0002ya-BW
	for pgsql-www@postgresql.org; Sat, 27 Apr 2013 14:09:24 +0000
Received: from momjian.us ([72.94.173.45])
	by makus.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <bruce@momjian.us>) id 1UW5oW-0007GW-Pa
	for pgsql-www@postgresql.org; Sat, 27 Apr 2013 14:09:22 +0000
Received: from bruce by momjian.us with local (Exim 4.72)
	(envelope-from <bruce@momjian.us>)
	id 1UW5oQ-0008Ng-4w; Sat, 27 Apr 2013 10:09:14 -0400
Date: Sat, 27 Apr 2013 10:09:14 -0400
From: Bruce Momjian <bruce@momjian.us>
To: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>
Cc: "Joshua D. Drake" <jd@commandprompt.com>, Paul Waring <paul@xk7.net>,
	pgsql-www@postgresql.org
Subject: Re: Can we change auto-logout timing on
 wiki.postgresql.org?
Message-ID: <20130427140914.GA20361@momjian.us>
References: <5179CD76.6030908@agliodbs.com>
	<CABUevEymuYyyof68ASuDt9GBpFOvF2r0WNyk8JxK1nbGG70Rpw@mail.gmail.com>
	<517A6C78.7000101@xk7.net>
	<CABUevEw0asBAR6jS=aqKBG1OAJmTsMP1FiocCm-cLJfqGEAm_w@mail.gmail.com>
	<517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc>
	<517B7658.9070209@commandprompt.com>
	<517B9613.4090201@kaltenbrunner.cc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <517B9613.4090201@kaltenbrunner.cc>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Pg-Spam-Score: -1.9 (-)
List-Archive: <http://archives.postgresql.org/pgsql-www>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-www.postgresql.org>
List-Owner: <mailto:pgsql-www-owner@postgresql.org>
List-Post: <mailto:pgsql-www@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-www>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-www>
X-Mailing-List: pgsql-www
Precedence: bulk
Sender: pgsql-www-owner@postgresql.org

On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
> > 
> > On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
> > 
> >> interesting hint - thanks.
> >>
> >> I have now increased the relevant timeouts to 6h - lets see how that
> >> goes..
> > 
> > FTR, I don't think we should autologout people or at least it should be
> > set to something like 7D.
> 
> well from a security perspective it is usually advisable to keep session
> lifetimes as short as possible, I agree that the current setup was way
> to aggressive, but 6h already results in a 6-15x increase of what we had
> before. We can always adjust upwards if we people are really working 6h+
> on an article but lets see first if this change really fixes the issue
> berkus complained about.

This is a wiki, not a banking website.  We need to use security that is
appropriate for what we are guarding.  We could just prevent edits and
it would be even more secure.  ;-)

I would like 7 days, myself.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +


-- 
Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www